Cyber Counterintelligence: Assets, Audiences, and the Rise of

Cyber Counterintelligence: Assets, Audiences, and the Rise

of Disinformation

Courteney J. O’Connor

July 2021

A thesis submitted for the degree of Doctor of Philosophy of

The Australian National University

© Copyright by Courteney J. O’Connor 2021

All Rights Reserved

ii

iii

Declaration

This thesis contains no material which has been accepted for the award of any other degree or

diploma in any university. To the best of my knowledge, it contains no material previously

published or written by another person, except where due reference is made in the text. My research

was partially supported by an Australian Government Research Training Program (RTP)

Scholarship.

Courteney J. O’Connor

July 2021

iv

v

Acknowledgements

I extend my deepest thanks and gratitude to Associate Professor Adam Henschke, Associate

Professor Matthew Sussex, and Dr. Jennifer Hunt. Thank you for the advice, the humour, the

lessons, the patience, the understanding, the compassion, and the time you have all given me over

the last five years. I appreciate it more than I could ever truly articulate, and I am a better scholar

for having been the beneficiary of your guidance. Thanks also to Professor Paul Cornish and

Professor Roger Bradbury– your advice and expertise have been invaluable tools and I truly

appreciate your guidance.

My family have been a source of constant strength and support throughout this project as they

have been for every other part of my life. To my mothers – thank you. You are my inspiration and

I hope I have done you proud. Micayla, Tyler, Cambell – thank you for being truly excellent and

frequently hilarious siblings.

Dr. Megan Poore and Mrs. Tracy McCrae – you are the pillars upon which the Crawford PhD

program rests. Thank you for everything.

Jessie, John, Ana, Mel, the ladies of BC – thank you for all keeping me laughing and always being

there to listen, to cheerlead, and even occasionally to proofread. I appreciate you all beyond words.

I undertook this project because I had questions I wanted answered. After five years of research

and analysis, I can safely say I have more questions than I started with and more answers than I

ever thought I would find. Thank you to everyone who listened, who offered advice, who pointed

me toward helpful material, who spotted a junior academic and took the time to help out. Thank

you to everyone who taught me how to find the answers and accept that the good ones always

open up new questions.

vi

vii

Abstract

In April 2021, Facebook suffered yet another data breach that affected hundreds of millions of

accounts. The private information of over 500 million people had been stolen by hackers - names,

phone numbers, email addresses, locations and more. The cache is potentially valuable to a host of

malicious actors, from criminals motivated by financial gain to hostile foreign actors microtargeting

voters through information operations. It follows an evolution of threats in cyberspace targeting

government agencies, utilities, businesses, and electoral systems. With a focus on state-based actors,

this thesis considers how state threat perception of cyberspace has developed, and if that

perception is influencing the evolution of cyber counterintelligence (CCI) as a response to cyber-

enabled threats such as disinformation. Specifically, this thesis traces the threat elevation of

cyberspace through the evolution of the published national security documentation of the United

Kingdom, asking how threat elevation corresponds to the development of CCI, if at all, and what

sort of responses these processes generate to combat the rising threat of disinformation campaigns

conducted against liberal democracies.

Democratic audiences are a target of influence and information operations, and, as such, are an

intelligence and security vulnerability for the state. More so than in previous decades, to increase

national resilience and security in cyberspace, the individual, as part of the democratic audience, is

required to contribute to personal counterintelligence and security practices. This research shows

that while assets and infrastructure have undergone successful threat elevation processes,

democratic audiences have been insufficiently recognised as security vulnerabilities and are

susceptible to cyber-enabled disinformation.

viii

ix

“It ain’t what you don’t know that gets you into trouble. It’s

what you know for sure that just ain’t so.”

Mark Twain.

x

xi

TABLE OF CONTENTS Acknowledgements ........................................................................................................................... v

Abstract ........................................................................................................................................... vii

Figures and Tables ........................................................................................................................ xiii

Acronyms ......................................................................................................................................... xv

1 - Introduction .................................................................................................................................. 1

Approach and Research Design ................................................................................................................................................ 4 Chapter Outline ........................................................................................................................................................................ 17

2 - Contextualising Cyber Counterintelligence: the Need for Threat Elevation Analysis ............. 19

Securitisation ............................................................................................................................................................................. 19 Counterintelligence .................................................................................................................................................................... 57 Disinformation .......................................................................................................................................................................... 67 Conclusion ................................................................................................................................................................................. 74

3 - Threat Elevation Analysis .......................................................................................................... 76

Securitisation as Threat Elevation Theory ............................................................................................................................. 76 The Threat Elevation of Cyberspace ....................................................................................................................................... 84 Threat Elevation of Cyberspace ............................................................................................................................................. 114 Conclusion: Riskified but Not Securitised ............................................................................................................................ 115

4 - The United Kingdom: Tracing the Threat Perception of Cyberspace ..................................... 117

Document Selection and Justification .................................................................................................................................... 118 Analysis: National Security Strategies and Strategic Defence and Security Reviews ........................................................ 119 Analysis: Cyber Security Strategies ....................................................................................................................................... 150 Case Summary ........................................................................................................................................................................ 164 Conclusion ............................................................................................................................................................................... 166

5 - Counterintelligence and Cyberspace ....................................................................................... 168

Cyber Counterintelligence ....................................................................................................................................................... 173 A Typology of Cyber Counterintelligence .............................................................................................................................. 185 Conclusion ............................................................................................................................................................................... 221

6 - CCI in an Age of Disinformation: Assets vs. Audiences ......................................................... 223

Disinformation ........................................................................................................................................................................ 227 Elevating the Audience .......................................................................................................................................................... 246 Elevation and Audiences – COVID-19 Disinformation ................................................................................................. 254 Recognition and Resilience: Successful Threat Elevation in Sweden ................................................................................... 260 Conclusion: Elevating the Threat of Disinformation ........................................................................................................... 267

7 - Conclusion ................................................................................................................................ 270

Bibliography .................................................................................................................................. 277

xii

xiii

Figures and Tables

Figure 1 - The Elements of Cyber Security ........................................................................................ 3

Figure 2 - The Elements of Securitisation Theory ........................................................................ 24

Figure 3 - The Sectors of Security ....................................................................................................... 33

Figure 4 - Photo: Robert Clark, Associated Press, 2001 ............................................................... 44

Figure 5 - Securitisation and the orders of concern ...................................................................... 81

Table 1 – Passive, Active, Proactive Intelligence Collection .................................................... 188

Table 2 – Passive, Active, Proactive Cyber Counterintelligence ............................................. 190

Figure 6 - Twitter flags potential disinformation ......................................................................... 234

xiv

xv

Acronyms

5G Fifth-Generation

9/11 September 11, 2001 World Trade Centre terrorist attacks

ABC American Broadcasting Company

ACD Active Cyber Defence

ACSC Australian Cyber Security Centre

APT Advanced Persistent Threat

ASPI Australian Strategic Policy Institute

ATM Automatic Teller Machine

CBRN

CCDCOE

Chemical Biological Radiological Nuclear

Cooperative Cyber Defence Centre of Excellence

CCI Cyber Counterintelligence

CCTV Close Circuit Television

CEO Chief Executive Officer

CERT Computer Emergency Response Team

CIA

CIR

Central Intelligence Agency (United States)

Cyber Incident Response

CNN Cable News Network

COPRI Copenhagen Peace Research Institute

COVID-19 Coronavirus Disease of 2019 (virus SARS-CoV2)

CRG Corporate Response Group

CSOC Cyber Security Operations Centre (United Kingdom)

CSS Cyber Security Strategy

CST Copenhagen Securitisation Theory

DCOG Defence Cyber Operations Group

DDoS Distributed Denial of Service

DNC Democratic National Committee

EU European Union

FBI Federal Bureau of Investigation (United States)

FOI Totalförsvarets Forskningsinstitut (Defence Research Agency, Sweden)

GCHQ Government Communications Headquarters (United Kingdom)

GDP Gross Domestic Product

GFC Global Financial Crisis

xvi

GGE Group of Governmental Experts (United Nations)

GPS Global Positioning System

HIV/AIDS Human Immunodeficiency Virus/Acquired Immunodeficiency

Syndrome

HUMINT Human Intelligence

IDP Internally Displaced Persons

IoT Internet of Things

IP

IRA

Intellectual Property

Internet Research Agency

ISIL Islamic state of Iraq and the Levant (Alternate name: Daesh. See also:

ISIS)

ISIS Islamic state of Iraq and Syria (Alternate name: Daesh. See also: ISIL)

ISP

IT

Internet Service Provider

Information Technology

KGB Komitet Gosudartvennoy Bezopasnosti (Committee for State Security,

Soviet Union)

LAN Local Area Network

MAD Mutually Assured Destruction

MI5 Military Intelligence Section 5/Security Service (United Kingdom)

MOD Ministry of Defence (United Kingdom)

MSB Myndigheten för Samhällsskydd och Beredskap (Civil Contingencies

Agency, Sweden)

MSF Medecins Sans Frontiers (Doctors Without Borders)

NATO North Atlantic Treaty Organisation

NCG Non-affiliated Citizen Group

NGO Non-Governmental Organisation

NSA National Security Agency (United States)

NSCR National Security Capability Review

NSS

NZ

National Security Strategy

New Zealand

OCEAN Openness, Conscientiousness, Extraversion, Agreeableness,

Neuroticism

OCS

OECD

Office of Cyber Security (United Kingdom)

Organisation for Economic Cooperation and Development

xvii

P5

PII

Permanent Five (Member of the UNSC)

Personally Identifiable Information

PIN Personal Identification Number

PLA People’s Liberation Army (China)

PRC

RSCT

People’s Republic of China

Regional Security Complex Theory

SCADA Supervisory Control and Data Acquisition (System)

SDSR Strategic Defence and Security Review

SIGINT

SIS

Signals Intelligence

Secret Intelligence Service (United Kingdom)

SOC Serious Organised Crime

SSAG state-sponsored or –Affiliated Group

SSCI Senate Select Committee on Intelligence (United States)

UAV Unmanned Aerial Vehicle

UDHR Universal Declaration of Human Rights

UK United Kingdom

UN United Nations

UNIDIR United Nations Institute for Disarmament Research

UNSC United Nations Security Council

US United States of America

USB Universal Serial Bus

USSR Union of Soviet Socialist Republics (Alternate name: Soviet Union)

VPN Virtual Private Network

WHO World Health Organisation

WMD Weapons of Mass Destruction

xviii

1

1 - Introduction

In April 2021, the news broke that Facebook had suffered a data breach that affected hundreds of

millions of accounts. The private, personally identifiable information of over 500 million people

had been stolen by hackers - names, phone numbers, email addresses, and more.1 Over the last five

years, multiple elections in Western democratic states have been affected by organised

disinformation campaigns targeted at the voting populations of those states.2 The two problems of

cyber security and disinformation are conceptually related. Without adequate cyber security

measures in place, our information is vulnerable to malicious actors. That information can be used

for the targeting of information operations. Disinformation, if communicated efficiently and

effectively, has the potential to undermine the integrity of not only democratic elections but the

concept of democracy itself. If the voting public of a state is misled and makes their decisions based

on false information, the integrity of that election and the resulting government has been degraded.

Though the Facebook hack is not the first data breach of its kind,3 the attackers were able to retrieve

an immense volume of data that could easily be used for targeting in information operations.

These two challenges are emblematic of both the need for, and the relative insufficiency of, cyber

counterintelligence (CCI) measures and processes. They are also evidence of the fact that while

1 Paul Haskell-Dowland, “Facebook Data Breach: What Happened and Why It’s Hard to Know If Your Data Was Leaked,” The Conversation, April 6, 2021, http://theconversation.com/facebook-data-breach-what-happened-and-why-its-hard-to-know-if-your-data-was-leaked-158417; Aaron Holmes, “533 Million Facebook Users’ Phone Numbers and Personal Data Have Been Leaked Online,” Business Insider Australia, April 3, 2021, https://www.businessinsider.com.au/stolen-data-of-533-million-facebook-users-leaked-online-2021-4; Lily Hay Newman, “What Really Caused Facebook’s 500M-User Data Leak?,” Wired, April 6, 2021, https://www.wired.com/story/facebook-data-leak-500-million-users-phone-numbers/. 2 Saskia Brechenmacher, “Comparing Democratic Distress in the United States and Europe” (Washington, DC: Carnegie Endowment for International Peace, 2018); Office of the Director of National Intelligence, “Assessing Russian Activities and Intentions in Recent US Elections” (National Intelligence Council, January 6, 2017), https://www.dni.gov/files/documents/ICA_2017_01.pdf. 3 Facebook alone has suffered at least 9 massive data breaches in the period spanning 2005-2021, with victim counts ranging from 70,000 to more than 600 million. See Riddhi Jain, “A Complete Facebook Data Breach & Privacy Leak Timeline (2005 to 2021),” iTMunch, April 14, 2021, https://itmunch.com/facebook-data-breach-timeline-2005-2021/; SelfKey, “Facebook’s Data Breaches - A Timeline,” SelfKey (blog), March 11, 2020, https://selfkey.org/facebooks-data-breaches-a-timeline/. Similar breaches with massive amounts of data lost in the breach include those of eBay, Equifax, JP Morgan, and Sony. See BBC News, “Sony Pays up to $8m over Employees’ Hacked Data,” BBC News, October 21, 2015, sec. Business, https://www.bbc.com/news/business-34589710; Josh Fruhlinger, “Equifax Data Breach FAQ: What Happened, Who Was Affected, What Was the Impact?,” CSO Online, February 12, 2020, https://www.csoonline.com/article/3444488/equifax-data-breach-faq-what-happened-who-was-affected-what-was-the-impact.html; Steve Ragan, “Raising Awareness Quickly: The EBay Data Breach,” CSO Online, May 21, 2014, https://www.csoonline.com/article/2157782/security-awareness-raising-awareness-quickly-the-ebay-database-compromise.html; Dominic Rushe, “JP Morgan Chase Reveals Massive Data Breach Affecting 76m Households,” the Guardian, October 3, 2014, http://www.theguardian.com/business/2014/oct/02/jp-morgan-76m-households-affected-data-breach.

Chapter 1 - Introduction

2

traditional intelligence operations might be the sole remit of the sovereign state, in the cyber era it

also falls to corporations and individuals to contribute to both their own cyber security and to the

aggregate security of the state and the international networks of which they are a part.

To contextualise this thesis going forward, it is important to delineate CCI from cyber security.

Where cyber security refers to the overall state of, and methods of assuring, the overall security of

cyberspace or an entity operating therein, cyber counterintelligence concerns the specific practices

intended to obviate attempts at intelligence collection (espionage) or exploitation that then enable

disruption events.4

According to this understanding, CCI feeds into overall cyber security – See Figure 1 The Elements of

Cyber Security. For modern states to develop cyber resilience and make positive gains toward a secure

cyberspace, it is crucial that the understanding and practice of CCI evolve at both the state and the

individual levels. Given this requirement, this research offers the framework of ‘threat elevation

analysis’ and uses that framework to build on previous research in the fields of CCI, and

disinformation as a threat to democratic integrity. Disinformation is understood in this thesis as

false information that is introduced into a target political information ecology in order to instigate

behavioural or political change and will be considered at length in chapter six. This thesis analyses

the threat elevation of cyberspace using a state actor case study, drawing links between cyber

counterintelligence as it contributes to cyber security and the necessity of cyber counterintelligence

practices by states and substate actors to counter disinformation operations.

4 Disruption events may range from the irritating but largely defendable (Distributed Denial of Service (DDoS) attacks against websites), to the destructive use of cyber operations to degrade or destroy services such as telecommunications.

Courteney O’Connor – PhD Thesis 2021

3

Cyberspace has become one of the fundamental pillars of modern life. We use it in every sector of

our lives - for communication, to conduct our finances and for commercial transactions, to execute

our civic responsibilities. With time, more and more people are benefiting from the efficiency of

cyberspace and the multiplicity of platforms that it supports. However, with this profusion of

access to cyberspace comes an increase in the dangers posed to ordinary life from cyber-enabled

malicious actors and their level of access to both foreign populations and foreign states. Accepting

that cyberspace is a threat vector, it is the responsibility of the state to secure cyberspace insofar as

is possible for the ongoing safety and wellbeing of its citizens and the security of the state itself.

However, the number of actors in cyberspace and the potential for threat that these actors

represent increases the surface area that states must protect. To contribute to the resilience of

cyberspace technologies as well as the individuals that use those technologies, states need to design

risk management and threat mitigation measures that also promote greater cyber security.

However, this is not the sole remit of the state. To increase national resilience and security in

cyberspace, the individual, as part of the democratic audience, is required to contribute by engaging

in personal CCI and security practices that increase the aggregate resilience and security of the state.

But how can states, and individuals, best develop their understanding of the risks and threats of

cyberspace in order to best engage with CCI? How can we trace the elevation of that threat

perception, and what have the effects of that elevation been on the development and utilisation of

CCI?

Cyber Security

Cyber Intelligence Cyber Counterintelligence

Cyber Offence Cyber Defence

Figure 1 The Elements of Cyber Security


4

Threat elevation analysis as offered in chapter three identifies the process according to which risks

and threats are perceived and then elevated to a higher stage of concern. The status of an identified

issue – concern, risk, threat – indicates the level of management or mitigation that the issue in

question should receive. This thesis critically evaluates the development of the threat elevation and

perception of cyberspace in the United Kingdom (UK) and whether there has been a concurrent

(unclassified, observable) development of CCI. More specifically, this thesis will engage in process-

tracing to analyse the evolution of cyberspace as a perceived threat in the UK. It is expected that

this examination will highlight any published (unclassified) admission or definition of CCI as

understood or practiced by the UK. “In process-tracing, the researcher examines histories, archival

documents, interview transcripts, and other sources to see whether the causal process a theory

hypothesises or implies in a case is in fact evident in the sequence and values of the intervening

variables in that case...”5 In other words, when we engage in process-tracing, we analyse the

trajectory of change.6 While the generalisability of the conclusions drawn from the analysis of a

single case study would need to be highly qualified and thoroughly examined for applicability within

context and specific rules, in this instance the method according to which the understanding of the

threat level of cyberspace developed (or did not develop) in the UK will be able to provide

policymakers considering the same problems with an understanding of how this has been done

previously. The observed results of that process can help inform the policymakers’ decisions about

how or whether a similar process can be undertaken in their state, and may provide suggestions or

warnings for that future development and implementation.

Approach and Research Design

The purpose of this thesis is three-fold; first, to develop an understanding of how identified

concerns are elevated by legitimate actors through riskification and securitisation processes, and

the constituent elements of these elevating processes. The second is to build upon previous

research on the definition and typology of CCI. Has the development of CCI been affected by the

evolving perceptions of the vulnerabilities of cyberspace? Who uses (and who should use) CCI,

and are there differences in the context or uses of CCI? In considering the operational

understanding of a relatively novel field like CCI, this thesis will discuss the tactical and strategic

understandings of, and uses for, CCI in line with the assumptions and consequences of the threat

elevation analysis. The third purpose of this thesis is to apply threat elevation analysis and CCI to

5 Alexander L. George and Andrew Bennett, Case Studies and Theory Development in the Social Sciences (Cambridge: The MIT Press, 2005), 6–7. 6 David Collier, “Understanding Process Tracing,” PS: Political Science & Politics 44, no. 4 (October 2011): 823, https://doi.org/10.1017/S1049096511001429.


5

a case study of a specific state, and against a specific national security concern. In chapter three, I

will apply threat elevation analysis to a case study on the UK and examine whether threat elevation

of cyberspace and the development of counterintelligence responses can be ascertained through

official (published) documentation. I will then draw the threat elevation framework; UK case study;

and CCI discussion together in a contextualising example in my chapter on disinformation.

Purpose

The primary research question of this thesis is how has state threat perception of cyberspace

developed, and how/is that perception influencing the evolution of CCI as a response to cyber-

enabled threats such as disinformation? This generates two lines of research that will contribute to

answering the primary question. First, the framework through which any development in state

threat perception can be identified and analysed. The framework chosen and the conclusions drawn

from the analysis will affect the subsequent line of research, being the identification and

development of CCI as a response to cyber-enabled threats. To limit the scope of the thesis, rather

than attempt a generalised analysis of all cyber-enabled threats, I have chosen to examine

disinformation conducted via cyberspace. With the rise in use and increasing ubiquity of cyberspace,

the question must be asked whether states’ conceptions of counterintelligence (and thus, national

security requirements) are evolving apace.

The framework I utilise in my research and investigation is threat elevation analysis, a variant of the

Copenhagen securitisation theory (CST) that has been developed with the intent of it being

generalisable across the broadest spectrum of national security analysis. Threat elevation analysis

describes a framework according to which the evolution of threats can be traced and analysed. It

is a multistep process of elevation that involves first riskification of an issue (per Olaf Corry’s

framework)7 and, if management fails, securitisation of that issue followed by mitigation methods.

This framework is used in this thesis to analyse the elevation of cyberspace as a threat in the UK

through the examination of national security documentation published between 2008 and 2018.

Threat elevation analysis is one of the primary contributions to existing knowledge made by this

research. Ideally, further research will be undertaken to evaluate this framework beyond the bounds

of the questions that define this research project to further analyse the assumptions of the theory.

7 Olaf Corry, “Securitisation and ‘Riskification’: Second-Order Security and the Politics of Climate Change,” Millennium: Journal of International Studies 40, no. 2 (January 2012): 235–58, https://doi.org/10.1177/0305829811419444.


6

Several smaller research questions must be considered in order to address the overarching research

question informing the research design of this thesis, and these are used to structure the narrative

line of this manuscript. Beginning with the theoretical framework itself: what is threat elevation

theory? How does it work, and why has it been developed? Following from this question, the

subsequent section deals with the intersection of threat elevation analysis and cyberspace: has the

latter been elevated, to either a security risk or a security threat? And how can this then be assessed

against the development of CCI as an operational field, and as it is conceived in the national security

arena? The subsequent question concerns CCI itself: what is it? How does it fit into the intelligence

field, and into the conception of national security in the contemporary era? Traditional

counterintelligence has contributed to, and informed, national security policies and practices for as

long as intelligence has existed as an operational concern;8 what changes, if any, should there

be/have there been to this working definition and operational field with the growing dependence

on the cyber domain in all aspects of modern life? Finally, what is the connection between CCI

and the rising threat of disinformation, and how have state responses to disinformation developed?

Method

This research is fundamentally qualitative in nature, and based on the research questions identified

above I determined documentary analysis alongside theory and concept development to be the

methods best suited to addressing the research goals. This section discusses the three general

methods of research utilised in this thesis: framework development, for threat elevation analysis.

Concept development, for the definition and typologies of CCI. Case study analysis, to include

documentary analysis, for the examination of the UK and the subsequent analysis of approaches

to disinformation.

Framework Development

The initial stages of this research were undertaken according to the assumption that the theoretical

framework being used was Copenhagen (traditional) securitisation theory. According to the basic

tenets of this theory (discussed in chapter two), a legitimate actor securitises a security concern by

speaking it as such. That is to say, through discursive legitimation before a legitimate audience, in

saying that something is an existential threat to the state, it is accepted and then mitigated as one.

However, applying traditional securitisation theory in the modern day to contemporary events like

cyber-attacks, the assumptions of this theory tend to weaken, such that the decision was made to

8 See section on the history and development in chapter two.


7

develop a framework that would be based on the foundations of securitisation but is more aligned

to the requirements and realities of modern risks and threats.

To develop a theory that is not too similar to existing ones so as to prevent contribution to

knowledge, but also to build upon the foundations of the existing body of securitisation literature,

several steps were taken. First, identification of the elements and processes of traditional

securitisation theory that remained relevant and applicable. Second, identification of the specific

problems of securitisation theory that made application of the framework to contemporary issues

problematic. Third, and based on the problems identified in step two, was the identification and

development of the elements and processes required in the innovated framework that would both

work well with the remaining elements of securitisation theory, and would also develop a deeper

understanding of the ways in which security concerns are elevated to risks (for management) and

threats (for mitigation). Finally, the results of steps one through three were combined and two

separate elevation processes emerged to represent the journey of a security concern through to risk

and then threat: riskification (per Olaf Corry’s theory) and then securitisation, (per traditional

securitisation and concepts identified for this research).9

The primary source of material on the concepts and processes of securitisation is Security: A New

Framework for Analysis by Ole Waever, Barry Buzan, and Jaap de Wilde.10 The text identifies and

explains the constituent elements of what is now termed Copenhagen securitisation theory and

then identifies and explains the process by which a security concern is ‘securitised’. While other

sources have been considered, such as those dealing with the Paris School and Welsh School

evolutions of securitisation theory, most roads in the securitisation literature lead back to Buzan,

9 Corry, “Securitisation and ‘Riskification.’” 10 Barry Buzan, Ole Waever, and Jaap de Wilde, Security: A New Framework for Analysis (Boulder: Lynne Rienner Publishers, Inc, 1998). See also Thierry Balzacq, “A Theory of Securitization: Origins, Core Assumptions, and Variants,” in Securitization Theory: How Security Problems Emerge and Dissolve, PRIO, New Security Studies (New York: Routledge, 2011), 1–30; Thierry Balzacq, “Securitization Theory: Past, Present, and Future,” Polity 51, no. 2 (April 2019): 331–48, https://doi.org/10.1086/701884; Corry, “Securitisation and ‘Riskification’”; Matt McDonald, “Securitization and the Construction of Security,” European Journal of International Relations 14, no. 4 (December 2008): 563–87, https://doi.org/10.1177/1354066108097553; Joanna Nyman, “Securitization Theory,” in Critical Approaches to Security: An Introduction to Theories and Methods, ed. Laura J. Shepherd (Oxon: Routledge, 2013), 51–62; Holger Stritzel, Security in Translation: Securitization Theory and the Localization of Threat, New Security Challenges (New York: Palgrave Macmillan, 2014); Ole Waever, “Securitisation: Taking Stock of a Research Programme in Security Studies” (2003), https://docplayer.net/62037981-Securitisation-taking-stock-of-a-research-programme-in-security-studies.html; Michael C. Williams, “Words, Images, Enemies: Securitization and International Politics,” International Studies Quarterly 47, no. 4 (December 2003): 511–31, https://doi.org/10.1046/j.0020-8833.2003.00277.x; Michael C. Williams, “Securitization as Political Theory: The Politics of the Extraordinary,” International Relations 29, no. 1 (2015): 114–20.


8

Waever and de Wilde.11 It is also important to note that, as outlined in the paragraph above, many

of the original elements of Copenhagen securitisation have been included in either original or

manipulated form in the elevation theory framework that guides the research of this thesis. The

second text which forms the basis of the theoretical development of threat elevation theory is Olaf

Corry’s 2011 article concerning the transformation of risks and threats.12 While the article itself

focuses mainly on the risks of, and associated with, climate change, the tenets of the riskification

process that he develops in the article form the basis of the first of the elevating processes of threat

elevation analysis.

Concept Development

A significant security threat to the modern state is the use of cyberspace and cyber-enabled systems

and technologies. As with many fields of academia in relation to national security concerns,

however, there has been a significant lag between the identification of immediate national security

requirements, and research and academic analysis being published in order to build a foundation

of both empirical and theoretical knowledge in those areas of concern. There is an evolving body

of literature on cyber intelligence and counterintelligence that defines and offers cases and

examples of CCI as a branch of counterintelligence discipline and practice, some of which I will

11 See chapter two for a discussion of post-Copenhagen securitisation theories. For further reading, see Rita Floyd, “Towards a Consequentialist Evaluation of Security: Bringing Together the Copenhagen and the Welsh Schools of Security Studies,” Review of International Studies 33, no. 2 (2007): 327–50; Olav F. Knudsen, “Post-Copenhagen Security Studies: Desecuritizing Securitization,” Security Dialogue 32, no. 3 (2001): 355–68. 12 Corry, “Securitisation and ‘Riskification.’”


9

examine in chapter two.13 I have previously offered a basic definition and typology of CCI.14

However, there is still a significant gap in the literature on this field. In chapter five, this thesis will

further develop that understanding and typology, in relation to the understanding that cyberspace

has been elevated and is being perceived as either a disparate threat or a modern vector for more

traditional varieties of threat.15 In order to further the understanding of CCI offered in previous

research, this thesis will consider the operational varieties and purpose of CCI with reference to

both the pre-existing basic typology, as well as a more complex consideration of what, precisely,

CCI is and does or can do. Within operational CCI, this thesis explores two key areas: strategic

CCI, and tactical CCI.

The primary bodies of literature evaluated in chapter two are those concerning traditional

intelligence and counterintelligence, and the burgeoning literature on the value of and danger to

intelligence and national security of cyberspace and cyber-enabled processes and technologies.16 In

the initial stages of this research, literature on CCI was rare and often tied to, or a subsection of,

other (related) fields; this body of literature has increased during the years subsequent to the

commencement of my research, but remains fairly sparse relative to other fields of national security

13 See P. Duvenage and S. von Solms, “The Case for Cyber Counterintelligence,” in 2013 International Conference on Adaptive Science and Technology, 2013, 1–8, https://doi.org/10.1109/ICASTech.2013.6707493; Petrus Duvenage and Sebastian von Solms, “Putting Counterintelligence in Cyber Counterintelligence: Back to the Future,” in Proceedings of the 13th European Conference on Cyber Warfare and Security (13th European Conference on Cyber Warfare and Security, Piraeus, Greece: Academic Conferences International Limited, 2014), 70–79; PC Duvenage and Sebastian von Solms, “Cyber Counterintelligence: Back to the Future,” Journal of Information Warfare 13, no. 4 (2015): 42–56; Petrus Duvenage, Sebastian von Solms, and Manuel Corregedor, “The Cyber Counterintelligence Process - a Conceptual Overview and Theoretical Proposition,” in Published Proceedings of the 14th European Conference on Cyber Warfare and Security (14th European Conference on Cyber Warfare & Security, Hatfield, UK, 2015), 42–51; Petrus Duvenage, Thenjiwe Sithole, and Sebastian von Solms, “A Conceptual Framework for Cyber Counterintelligence: Theory That Really Matters,” in European Conference on Cyber Warfare and Security (Reading, United Kingdom: Academic Conferences International Limited, 2017), 109–19, https://search.proquest.com/docview/1966799163/abstract/9550E79F8887474EPQ/1; Petrus Duvenage, Thenjiwe Sithole, and Basie von Solms, “Cyber Counterintelligence: An Exploratory Proposition on a Conceptual Framework,” International Journal of Cyber Warfare and Terrorism 9, no. 4 (October 2019): 44–62, https://doi.org/10.4018/IJCWT.2019100103; Geoffrey S. French and Jin Kim, “Acknowledging the Revolution: The Urgent Need for Cyber Counterintelligence,” National Intelligence Journal 1, no. 1 (2009): 71–90; Courteney J O’Connor, “Cyber Counterintelligence: Concept, Actors, and Implications for Security,” in Cyber Security and Policy: A Substantive Dialogue, ed. Andrew Colarik, Julian Jang-Jaccard, and Anuradha Mathrani (Palmerston North: Massey University Press, 2017), 109–28; J. Sigholm and M. Bang, “Towards Offensive Cyber Counterintelligence: Adopting a Target-Centric View on Advanced Persistent Threats,” in 2013 European Intelligence and Security Informatics Conference (2013 European Intelligence and Security Informatics Conference, IEEE Computer Society, 2013), 166–71, https://doi.org/10.1109/EISIC.2013.37; George Vardangalos, “Cyber-Intelligence and Cyber Counterintelligence (CCI): General Definitions and Principles” (Center for International Strategic Analyses, 2016), https://kedisa.gr/wp-content/uploads/2016/07/Cyber-intelligence-and-Cyber-Counterintelligence-CCI-General-definitions-and-principles-2.pdf. 14 O’Connor, “Cyber Counterintelligence.” 15 Is cyberspace itself a threat? Or is it merely a new vehicle for old threats, like fraud or theft? 16 See chapter three for an examination of CCI; see chapter six for an examination of disinformation as a CCI problem.


10

and strategic studies research.17 One of the contributions of this thesis to the existing body of

knowledge in national security, strategic studies, and intelligence and counterintelligence fields will

be the development of understanding of CCI as a delineated subfield of the overarching

counterintelligence discipline.

This research utilises the definition of CCI offered in Cyber Counterintelligence: concept, actors, and

implications for security.18 That definition was built upon existing definitions of cyberspace, networks,

and networked technologies. Finding that definition of CCI to be relevant and accurate, no changes

have been made to it, and as such CCI is understood to consist of

the methods, processes and technologies employed to prevent, identify, trace, penetrate, infiltrate, degrade, exploit and/or counteract the attempts of any entity to utilise cyberspace as the primary means and/or location of intelligence collection, transfer or exploitation; or to affect immediate, eventual, temporary or long-term negative change otherwise unlikely to occur.19

Following from this definition, the second half of chapter five further develops the basic typology

of CCI previously offered by the author in order to broaden both the understanding and the

application of this typology to the ways in which states seek to secure cyberspace and/or their

conceptions of cyber security in the modern age. Further to this development, the typology also

considers the operationalisation of CCI across two broad areas: strategic CCI, and tactical CCI. It

is anticipated that the overall discussion of CCI as a concept and a practice will support further

research on the place that CCI has in modern conceptions of security, particularly in an increasingly

digitally influenced world where disinformation and propaganda campaigns are having an outsize

effect on leadership and policy decisions among (Western) democracies. A greater understanding

of CCI will ultimately serve policymakers in the conception and drafting of national security

policies and strategies based on an informed understanding of the risks inherent in the use of

cyberspace and the ways those risks must be managed.

This particular definition of CCI accepts that any entity may conduct intelligence collection,

transfer or exploitation in cyberspace, and engages with practices intended to mitigate attempts at

17 See Duvenage and Solms, “The Case for Cyber Counterintelligence”; Duvenage and von Solms, “Putting Counterintelligence in Cyber Counterintelligence: Back to the Future”; Duvenage and von Solms, “Cyber Counterintelligence: Back to the Future”; Duvenage, von Solms, and Corregedor, “The Cyber Counterintelligence Process - a Conceptual Overview and Theoretical Proposition”; Duvenage, Sithole, and von Solms, “A Conceptual Framework for Cyber Counterintelligence”; Duvenage, Sithole, and von Solms, “Cyber Counterintelligence”; French and Kim, “Acknowledging the Revolution: The Urgent Need for Cyber Counterintelligence”; Sigholm and Bang, “Towards Offensive Cyber Counterintelligence”; Vardangalos, “Cyber-Intelligence and Cyber Counterintelligence (CCI): General Definitions and Principles.” 18 O’Connor, “Cyber Counterintelligence.” 19 O’Connor, 112.


11

effecting negative change. This is particularly relevant in the chapter six analysis of disinformation

as a national security and democratic integrity threat, as it is the combination of cyber-enabled

communications platforms used to conduct information operations and the targeting of individuals

and populations that make disinformation so dangerous to democratic societies. Effective CCI can

only occur when both technology and psychology are adequately protected and made resilient to

external influence and exploitation.

Case Study

The initial contribution of this thesis is the development of the threat elevation analysis framework,

articulated and developed in chapter three. The development of CCI has also been outlined. The

content of the current section will discuss how the assumptions of both models will be examined

in the course of this research. As stated above, this thesis is a qualitative project. Threat elevation

analysis is a descriptive-analytical framework, and it is not intended to be either prescriptive or

proscriptive.

The conceptual development and examination of CCI is also an inherently qualitative undertaking.

A case study analysis was selected as the most appropriate form of theory and concept testing for

the subjects under investigation in this thesis. According to George and Bennett, “the case study

approach [is] the detailed examination of an aspect of a historical episode to develop or test

historical explanations that may be generalizable to other events.”20 With intelligence and security

issues, case studies can be particularly beneficial for examining the flow-on effects for problem

solving. As explained by Harry Eckstein, “[c]ase studies may be used not merely for the interpretive

application of general ideas to particular cases (that is, after theory has been established) or,

heuristically, for helping the inquirer to arrive at notions of problems to solve or solutions worth

pursuing, but may also be used as powerful means of determining whether solutions are valid.”21

This study follows the heuristic case study model outlined by Eckstein: the application of inductive

logic to a unique case to draw conclusions about a particular aspect or problem. The case study is

used to aid in the identification of “important general problems and possible theoretical

solutions.”22 Heuristic case studies focus the attention specifically on the discovery and problem-

solving aspects of case study analysis. This is particularly relevant to the analysis of threat

20 George and Bennett, Case Studies and Theory Development in the Social Sciences, 5. 21 Harry Eckstein, “Case Study and Theory in Political Science,” in Case Study Method, ed. Roger Gomm, Martyn Hammersley, and Peter Foster (London: SAGE Pulications Ltd, 2009), 12, https://dx.doi.org/10.4135/9780857024367.d11. 22 Eckstein, 17.


12

perception of cyberspace in the UK – discovery – but also to the development of CCI - problem-

solving.23

This thesis explores how one specific state has developed their understanding of these concepts,

and whether there are potential takeaways for other states facing these challenges. The use of a

single case allows for a deeper qualitative content analysis, tracing the development of a particular

strategic concept in a meaningful way. It is important to note that while there is a single overarching

case under examination, within-case analysis of national security documentation is comparative and

developmental – each document will be considered in light of the others. Together with the use of

process-tracing, this “increases the number of theoretically relevant observations.”24 Generalisation

across states is not the intended purpose of this thesis, though additional case studies could further

augment the findings presented here.

Case Selection

Several elements needed to be taken into account in identifying an appropriate case for analysis

relevant to both the utility of threat elevation theory and the concept of CCI. First, that these are

frameworks of understanding that are particularly relevant at the state level of analysis. While they

can be applied to lower levels of analysis like corporations or individuals (which will be discussed

in chapters three and five), given the fields of research, it was decided to use a sovereign state as

the unit of analysis in the selected case. Further research on alternate levels of analysis will be

necessary to determine the generalisability of the threat elevation framework, but that is beyond

the bounds of the current research and cannot be adequately conducted given resource and time

restraints. Having identified the state as the appropriate unit of analysis, it was then necessary to

decide which state would be the subject of the case study in order to be able to generate knowledge

concerning state elevation of CCI.

The UK is an influential state in economic, political, and security matters. It is well positioned to

be the subject of analysis, as a post-industrial and highly technologised state with an increasing

dependence on cyberspace. Moreover, the UK is a member of multiple influential security

organisations in which it wields significant influence. It is a member of the North Atlantic Treaty

Organisation (NATO); it is the leader of the British Commonwealth; it is one of the five permanent

23 Rob Van Wynsberghe and Smia Khan, “Redefining Case Study,” International Journal of Qualitative Methods 6, no. 2 (2007): 81. 24 Gary King, Robert O. Keohane, and Sidney Verba, Designing Social Inquiry: Scientific Inference in Qualitative Research (Princeton: Princeton University Press, 1994), 227.


13

members (P5) of the United Nations Security Council (UNSC); and it is one of the five states that

form the Five Eyes intelligence and security cooperative, along with the United States of America

(US); Canada; Australia; and New Zealand (NZ). The attitudes, perception, and policies of the UK

have the potential to influence multiple states across a vast geopolitical spectrum. The uptake of

high technologies is a matter of policy in the UK, and successive governments have invested

significantly in pursuit of the articulated into of becoming a leading technological power.25 As such,

there has been considerable development of cyberspace policies and frameworks across the

government, and in military and security agencies. National security documents outlining the

strategic intent and imperatives of the UK are publicly available, demonstrating a relatively high

degree of openness and engagement with the democratic audience, and serve to signal the UK’s

interests and concerns. This allows a more systematic analysis of what changes over time, relative

to other states that don’t have the history of policy development or publication at an unclassified

level of such policies.

A time frame of the ten year period of 2008-2018 was selected for analysis. This time period

represents four changes of government across the two major political parties of the UK, and the

publication of nine strategic documents. The study ends before the full consequences of Brexit and

the UK’s withdrawal from the European Union (EU) are finalised or completely known,26 the

potential policy implications of which are beyond the scope of this thesis. Although the time frame

for the case study in this thesis ends at 2018, I recognise that developments such as the publication

of the Integrated Review in 2021 are important for understanding the development trajectory of

CCI in the UK. Accordingly, I address this is the conclusion to the thesis.

In choosing to analyse the understanding of a particular concept (cyberspace as a threat) through

the analysis of a class of information (national security documentation), this thesis engages in the

study of a specific aspect of a particular episode in history; in this case, a specific period of time

within which significant development of and events in cyberspace occurred on a global scale. The

within-case analysis of a single state allows for a close reading and examination while also producing

25 Chapter four articulates the United Kingdom elevation of the threat perception of cyberspace through a selection of national security documentation. For the most recent articulation of the intent to transform the United Kingdom into a leading digital power, see Cabinet Office of the United Kingdom, “Global Britain in a Competitive Age: The Integrated Review of Security, Defence, Development and Foreign Policy” (The APS Group, 2021), https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/975077/Global_Britain_in_a_Competitive_Age-_the_Integrated_Review_of_Security__Defence__Development_and_Foreign_Policy.pdf. 26 ‘Brexit’ refers to the exit of the United Kingdom from the European Union following a 2016 referendum and subsequent negotiations.


14

knowledge and potential lessons more broadly generalisable than the case study focus (the UK),

due to the global use and importance of the cyber domain. More specifically, the conclusions drawn

from the analysis of the UK’s threat perception of cyberspace and development of CCI in chapter

five, in the context of disinformation as examined in chapter six, will also produce lessons for states

of similar political structure and security concerns; namely, foreign interference and democratic

integrity.

The framework employed in this thesis is threat elevation analysis, a descriptive analytic tool that

describes the way in which a particular political issue or concern is elevated to either a risk or a

threat. Threat elevation analysis will be described thoroughly in chapter three, but from a

methodological point of view and as mentioned above, this thesis will employ process-tracing on

the selected national security documentation of the UK to discover whether the development of

the strategic conception of cyberspace in the UK has advanced according to the expected

assumptions and framework of threat elevation analysis. David Collier states that “process tracing

focuses on the unfolding of events or situations over time…[and] the descriptive component of process

tracing begins not with observing change or sequence, but rather with taking good snapshots at a

series of specific moments.”27 The national security documents selected for analysis serve as the

snapshots through which to examine the trajectory of change in the threat perception of cyberspace

in the UK.

Additionally, how or whether these assumptions prove true or false will indicate the integrity of

the framework as well as contribute to existing literature concerning the national security

perceptions, policies, and understandings of the UK in a continuously developing domain, namely

cyberspace. Whether or not there has been a successful elevation of a particular security concern

within cyberspace will then be analysed in chapter six, which examines the threat of disinformation

within the framework of threat elevation analysis, and according to the conclusions drawn in the

preceding analysis of the selected national security documentation of the UK.

Limitations and Challenges

The choice of case study analysis in this research design introduces several inherent limitations and

challenges to both the nature of the thesis and the generalisability of its conclusions. First, though

threat elevation has been for broad applicability (i.e., to a range of actors and situations), and despite

the criticisms of traditional securitisation theories of the continued focus on the state despite claims

27 Collier, “Understanding Process Tracing,” 824.


15

to the contrary, this thesis examines how a particular state actor has elevated a particular domain,

concept, and problem — cyberspace, cyber counterintelligence, and disinformation. The choice to

examine state actor elevation was made in order to ascertain how at the highest levels, these

concepts and problems are being understood. The way that states understand and elevate risks and

threats will, through legislature and policy, affect the ways in which substate actors like corporate

groups and individuals are able to engage and act themselves. Threat elevation analysis can be

applied to substate actors and security concepts and problems, but this is largely outside the scope

of this thesis and must be reserved for future research. I have provided a typology of cyber

counterintelligence in chapter five that includes substate actors as a foundation for future research,

and threat elevation analysis requires no manipulation for the concepts and processes to be

applicable at the substate level.

In terms of the choice to study a national security problem (which can easily be perceived as

remaining firmly within the politico-military bounds of other strategic studies analytical traditions

and thus subject to similar criticisms as traditional securitisation theories), cyber counterintelligence

– as explained in chapter five – is concern at all levels of analysis but a particular problem for the

state specifically because cyber-enabled concerns are not bounded to politico-military spaces. Given

the ubiquitous nature of cyberspace and cyber-enabled platforms and devices, cyber

counterintelligence problems affect, and are affected by, multiple sectors beyond the political and

the military. How the state perceives cyberspace and cyber counterintelligence will in turn affect all

societal sectors. Further research will need to be done in these sectors – the environmental,

economic, and societal – and the intent of this thesis is to form part of the foundation of that

research.

By choosing to engage with a single state and conduct within-case analysis of the national security

documentation published by that state, it is possible that my conclusions may be affected by the

worldview of that particular country. The UK does not have the same perception of and response

to cyberspace and cyber-enabled security concerns as do other states; all states’ perception will

depend on context, capabilities, goals, domestic and external relationships, among other factors.

Moreover, the United Kingdom is a mature democracy; the method through which the UK elevates

risks and threats will likely be different to the ways in which new democracies or authoritarian

regimes will engage with threat elevation. There is also a need for future research to address the

relationship between the state and citizens vs. the state and non-citizens in terms of security

priorities and how cyber counterintelligence requirements and practices must be negotiated; how


16

does threat elevation and then management or mitigation occur? Jurisdictional issues are as much

a problem between people in matters of cyber security and cyber counterintelligence as they are in

the technological infrastructure space.

In order to engage deeply with the national security documentation and ensure robust analysis,

however, I believe that limiting the analysis to a single case across a significant period of time

enabled me to more effectively draw out the evolution of threat perception and development of

CCI. By assessing the evolution of perspective in one state, I am able to test the integrity of the

threat elevation analysis framework as well as contribute to existing knowledge not just on British

policy in regard to cyberspace but also build a set of expectations as to how that evolution may

proceed which can be tested against other states or non-state actors in future research. Alternately,

further research may find that state perception of cyberspace and development of cyber intelligence

and counterintelligence frameworks may evolve along similar lines independently of a particular

system of governance. Also beyond the scope of this thesis but worthy of identifying for future

research is the recognition that substate actors such as corporations, organised groups and

individuals may elevate the threat of state actions, and so the perception of cyberspace and cyber

counterintelligence of these actors will be informed by different priorities and capabilities. While

this case study in chapter four was selected based on the availability of national security

documentation, classification restrictions on related material may have limited the available

documentation for analysis. I appreciate that it is not possible to generalise on the basis of one case

– what this thesis seeks to establish is a conceptual and methodological baseline from which to do

so in subsequent research.

The subject matter of this thesis also presented research difficulties:28 CCI is a nascent field and

very much a contemporary security concern. Cyberspace enables, or is a critical feature, of a

majority of the critical infrastructure and communications platforms upon which daily interaction

at all levels is dependent. Where intelligence and counterintelligence were traditionally the purview

of the state as the only actor with the intent capability to affect international affairs or with the

need to understand and possibly manipulate state behaviours, this is no longer the case. The state

is no longer the only actor engaging in intelligence and counterintelligence; at all levels, actors that

operate in cyberspace are capable of engaging in these practices. Increasingly, states are having to

interact with substate actors in both cooperative and offensive/defensive settings. The number of

28 Preliminary research on British approaches to traditional counterintelligence was conducted at the Imperial War Museum archives in London in 2019. Plans for follow-up fieldwork and archival research had to be abandoned with the onset of COVID-19 and associated restrictions on international travel.


17

nonstate and substate actors that are capable of affecting the state or engaging in intelligence

collection and exploitation through cyberspace has increased, and this complicates the

counterintelligence environment. Interaction could be state vs. state; state vs. non-state; state vs.

individual; non-state vs. non-state; or non-state vs. individual. In elaborating a typology of CCI and

engaging in an examination of the actors that could employ these practices, I have attempted to

provide examples of the ways in which a variety of actors might engage in cyber counterintelligence

and for which reasons.

Chapter Outline

Chapter two of this thesis contains an overview of the literature concerning the three primary

bodies of research identified as relevant to this thesis: securitisation, counterintelligence, and

disinformation. These three fields contribute to the development of CCI offered in chapter five

and the discussion of disinformation as a threat to the state and to democratic integrity in chapter

six.

Chapter three develops the threat elevation analysis framework which underpins the analysis put

forward in this thesis. Threat elevation analysis describes the process according to which the

evolution of threats can be traced an analysed. Threat elevation is a multistep process that involves

first riskification of an issue and, if management of that risk fails, securitisation of that issue

followed by mitigation measures. The second half of this chapter contains an analysis of the threat

elevation of cyberspace, to contextualise the subsequent chapter.

Chapter four applies the threat elevation analysis framework of chapter three to the examination

of the threat perception of cyberspace in the UK, asking whether or not the development and

understanding of CCI can be ascertained based on that analysis. Using a selection of national

security documents from the period 2008-2018 inclusive, chapter four offers a specific case

application of the theoretical and conceptual contributions made by this thesis.

Chapter five offers a comprehensive development of the concept, typology, and utility of CCI,

building on the nascent body of literature in this field and further developing prior research. From

the starting point of a definition of CCI, subsequent sections of chapter five address the

development and practice of CCI before moving into the conceptual development of a typology.

In addition to the passive/active/proactive framework, this chapter also develops the


18

strategic/tactical framework of CCI as a practice before moving into the final sections concerning

the actors in cyberspace that may or should utilise CCI.

The sixth chapter takes the analysis and conclusions drawn throughout the case study of the UK

and, through the lens of threat elevation analysis, and in relation to the development and utilisation

of CCI, considers a specific national security problem: the rise of disinformation and the dangers

that it can pose to democratic integrity in the cyber era. This chapter will examine two cases of

disinformation countermeasures: one successful, and one unsuccessful. This will serve to illuminate

potential policy and CCI directions into the future.

The seventh and final chapter of this thesis will summarise the conclusions of the research

undertaken throughout. Chapter seven highlights the key takeaways of the research and identifying

avenues of future investigation before offering some closing thoughts.

19

2 - Contextualising Cyber Counterintelligence: the Need for Threat

Elevation Analysis There are three broad areas of research to which different sections of this thesis are relevant. These

fields are securitisation studies; counterintelligence studies; and disinformation studies. The extant

literature in each field is substantial, more so in the former two than in the latter, though this is

changing as further research is conducted into the use of disinformation for the purposes of

foreign interference. The following literature review has been split into three sections, correlating

directly to the identified bodies of relevant literature and the overall narrative threat of the thesis.

The initial section is devoted to the body of work surrounding securitisation studies, as this forms

the foundation of the framework of analysis that will be developed and utilised throughout the

main body and analysis of this thesis. I cover the elements of securitisation and the sectors in

which the framework is intended to be used, before discussing several of the criticisms of

securitisation and identifying a way forward under a variant framework. That variant - threat

elevation analysis - will be used to evaluate the development of cyberspace threat perception in the

United Kingdom (UK) and whether there has been a contiguous development of

counterintelligence practice in cyberspace in the case study in chapter four. The second section of

this chapter will examine traditional counterintelligence, briefly covering its history and purpose

before moving into the nascent literature surrounding cyber counterintelligence (CCI). This

section defines and contextualises CCI and its importance in a highly digitalised international

system, which leads into the final section on disinformation. I briefly compare disinformation to

misinformation and propaganda, discussing the potential consequences of false information as a

form of foreign interference in cyber-enabled operations. This chapter is intended to provide an

overview of current perspectives and understandings in these three fields, which will be built upon

in later chapters.

Securitisation

Copenhagen securitisation theory (CST) is a method for understanding the construction of security

threats. Because the primary research question of this thesis engages with national security

documentation in order to identify and trace the evolution of a specific security concept, a

theoretical framework designed to analyse that process provides an ideal analytical lens. The

subjectivity inherent in process-tracing a concept in a qualitative analysis makes the use of more

traditional positivist frameworks less suited to this research, given its fundamentally exploratory

nature. This thesis does not seek to identify or articulate particular logical rules or laws that have

Chapter 2 – Contextualising CCI

20

the potential to be quantitatively proven, though this could be an avenue of future research. While

a realist analysis of state actions is possible, the thesis is not particularly concerned with the

systemic interactions of states beyond the potential consequences of disinformation campaigns

imposing external strategic narratives; additionally, non-state actors are herein recognised as

capable actors in cyberspace. Nor is this thesis substantively concerned with the exercise of power

as such: it is an examination of threat perception and the development of responses and policies

according to that perception. A framework that explores the process by which a particular entity

problematises security, then, is most appropriate to this research.

This section will be comprised of an examination and analysis of several key elements of CST. In

chapter three, I build on these existing concepts to further an alternative understanding of

securitisation. By utilising the existing framework of securitisation theory and approaching analysis

from a more post-positivist point of view, I develop my own analytical framework by which to

consider security phenomena. More specifically, I argue that securitisation would be better

understood as a tiered, threat elevation process, rather than a linear process of threat construction.

First conceived by scholars of the Copenhagen Peace Research Institute (COPRI), in Denmark,29

securitisation theory was intended to widen the view of security studies beyond the military sector,

to include the societal; political; economic; and environmental sectors in security calculations.30 It

is also closely related to the body of work surrounding regional security complex theory (RSCT),

wherein securitising dynamics are considered in regional contexts.31 These regional dynamics relate

directly to the security sectors articulated in CST and can explain how regional security dynamics

are created, exacerbated, or mitigated. While an important body of work, this thesis does not

engage with regional dynamics of, or approaches to, the threat elevation of cyberspace or the

development of counterintelligence in relation to cyber-enabled disinformation. The focus is on

the concept and application of securitisation principles more generally, placing an examination of

RSCT in relation to cyber beyond the scope of this thesis.

29 Buzan, Waever, and de Wilde, Security: A New Framework for Analysis; Stritzel, Security in Translation: Securitization Theory and the Localization of Threat, 11. 30 Buzan, Waever, and de Wilde, Security: A New Framework for Analysis, 49–162. 31 Buzan, Waever, and de Wilde, 9–20. See also Barry Buzan, “Regional Security Complex Theory in the Post-Cold War World,” in Theories of New Regionalism: A Palgrave Reader, ed. Fredrik Söderbaum and Timothy M. Shaw, International Political Economy Series (London: Palgrave Macmillan UK, 2003), 140–59, https://doi.org/10.1057/9781403938794_8; Barry Buzan, People, States, and Fear: An Agenda for International Security Studies in the Post-Cold War Era (New York: Prentice Hall, 1991).


21

Given its focus on the construction of threat rather than the military concerns of the state,

Copenhagen securitisation stands apart from more traditional security and/or strategic studies,

and rather closer to critical security studies.32 Generally, securitisation fits within the bounds of the

constructivist field of research,33 for which the body of research has grown considerably in the

post-Cold War era.34 More specifically, Copenhagen securitisation scholars are often perceived to

be scholars of (the new) critical security studies, so named for the shift away from the state and

the military as the focal point of security concern.35 Copenhagen securitisation theory as perceived

herein is a (social) constructivist theory, regardless of theoretical roots.36

One of the central tenets of securitisation theory is the removal of a (political) concern from within

the bounds of ‘normal’ politics, and the relocation of that concern to the security arena. The

32 Military concerns do play a role in the security concerns of the state according to CST however as stated above, the military sector is/should be only one concern among several. That is to say, while military security concerns should be factored in to security calculations, according to Copenhagen securitization theory they should not be the primary or only focus. 33 Buzan et al suggest that security issues should be analysed “by taking an explicitly social constructivist approach to understanding the process by which issues become securitised.” Buzan, Waever, and de Wilde, Security: A New Framework for Analysis, 19. 34 See Thierry Balzacq, “Legitimacy and the ‘Logic’ of Security,” in Contesting Security: Strategies and Logics, PRIO New Security Studies (New York: Routledge, 2015), 1–10; Balzacq, “A Theory of Securitization: Origins, Core Assumptions, and Variants”; Thierry Balzacq, “The ‘Essence’ of Securitization: Theory, Ideal Type, and a Sociological Science of Security,” International Relations 29, no. 1 (March 1, 2015): 103–13, https://doi.org/10.1177/0047117814526606b; Balzacq, “Securitization Theory”; Thierry Balzacq, “The Three Faces of Securitization: Political Agency, Audience and Context,” European Journal of International Relations 11, no. 2 (June 1, 2005): 171–201, https://doi.org/10.1177/1354066105052960; Thierry Balzacq, Sarah Léonard, and Jan Ruzicka, “‘Securitization’ Revisited: Theory and Cases,” International Relations 30, no. 4 (December 1, 2016): 494–531, https://doi.org/10.1177/0047117815596590; Renata H. Dalaqua, “‘Securing Our Survival (SOS)’: Non-State Actors and the Campaign for a Nuclear Weapons Convention through the Prism of Securitisation Theory,” Brazilian Political Science Review 7, no. 3 (2013): 90-117,167-168; Myriam Dunn Cavelty, “From Cyber-Bombs to Political Fallout: Threat Representations with an Impact in the Cyber-Security Discourse,” International Studies Review 15, no. 1 (March 2013): 105–22, https://doi.org/10.1111/misr.12023; Rabea Hass, “The Role of Media in Conflict and Their Influence on Securitisation,” The International Spectator 44, no. 4 (December 2009): 77–91, https://doi.org/10.1080/03932720903351187; Knudsen, “Post-Copenhagen Security Studies: Desecuritizing Securitization”; McDonald, “Securitization and the Construction of Security”; Heikki Patomaki, “Absenting the Absence of Future Dangers and Structural Transformations in Securitization Theory,” International Relations 29, no. 1 (2015): 128–36; Columba Peoples and Nick Vaughan-Williams, “Introduction,” in Critical Security Studies: An Introduction, 2nd ed. (New York: Routledge, 2015), 1–12; Kees Ven Der Pijl, “La Disciplina Del Miedo. La Securitización de Las Relaciones Internacionales Tras El 11-S Desde Una Perspectiva Histórica,” Relaciones Internacionales 31 (2016): 153–87; Scott D. Watson, “‘Framing’ the Copenhagen School: Integrating the Literature on Threat Construction,” Millennium: Journal of International Studies 40, no. 2 (January 2012): 279–301, https://doi.org/10.1177/0305829811425889; Williams, “Words, Images, Enemies”; Williams, “Securitization as Political Theory: The Politics of the Extraordinary.” 35 Buzan, Waever, and de Wilde, Security: A New Framework for Analysis, 4–5; Stritzel, Security in Translation: Securitization Theory and the Localization of Threat, 51. 36 Constructivism is a relatively new field of critical international relations, emerging as a unique School of thought approximately thirty years ago that focuses on the importance and effect of social action in (international) politics, and the action value of the individual. It focuses on how the meaning and value of institutions, security, and threats are socially constructed; that is to say, given meaning by individuals or groups. This focus on the social aspect of (political) action necessitates a deeper focus on the idea of identity that is not present (as much) in more traditional international relations theories like Liberalism and Realism, with their respective focuses on economy and institutions, and military security. Christian Reus-Smit, “Constructivism,” in Theories of International Relations, 5th ed. (New York: Palgrave Macmillan, 2013), 217–40.


22

process through which this takes place – going from political concern to security threat – is the

securitisation process. Broadly speaking, the state of politics in which a securitisation process takes

place has been termed the ‘politics of the extraordinary’.37

The idea of politics of the extraordinary has been linked to German political philosopher Carl

Schmitt.38 As conceived by Schmitt, the politics of the extraordinary describes the political context

at the time of and immediately preceding the securitising process. As I argue in later sections, for

a political concern to be securitised there must be a justification for elevating an issue out of the

arena of ‘normal’ politics that necessitates emergency measures. The situation must be, therefore,

out of the ordinary.

The concept of ‘out of the ordinary’ introduces an ongoing criticism of Copenhagen securitisation

theory: the failure to identify what ‘normal’ politics looks like, and the location of the boundary

lines that must be crossed in a securitisation.39 Defining ‘normal’ politics is more complex an issue

than may be immediately apparent. It must be noted that ‘normal’ to any given actor is highly

subjective, and thus what presents itself as normal politics for one actor (usually, the state) may be

entirely extraordinary for another. In addition to the subjectivity of perception, ‘normality’ is also

context-dependent. For any actor in the international political system, there will be degrees of

‘normal’ for any given situation. Contextual normality also rests on multiple variables: form of

government (democracy vs. autocracy vs. theocracy); parties to a situation or conflict and the

historical relationship between those parties; possible outcomes; and (international) reputation are

among the variables that will factor into a calculation of the ‘normality’ of any given international-

37 Williams, “Securitization as Political Theory: The Politics of the Extraordinary,” 114–15; Andreas Kalyvas, Democracy and the Politics of the Extraordinary: Max Weber, Carl Schmitt, and Hannah Arendt (Cambridge: Cambridge University Press, 2008), https://doi.org/10.1017/CBO9780511755842. 38 Carl Schmitt is a controversial figure, as his work as both political philosopher and jurist is linked to Nazism and the Third Reich. Schmitt theorised extensively on the wielding of power in the political arena. Schmitt characterised the concept of ‘the political’ as “an exceptional decision defined within the friend-enemy distinction.” A declaration of enmity bears distinct resemblance to the concept of the existential threat in Copenhagen securitization. See also Kalyvas, Democracy and the Politics of the Extraordinary; Williams, “Words, Images, Enemies.” 39 Buzan, Waever and de Wilde acknowledge the difficulty of bounding the political sector, stating that “all threats and defences are constituted and defined politically.” Buzan, Waever, and de Wilde, Security: A New Framework for Analysis, 141. Buzan, Jones and Little define politics as “the shaping of human behaviour for the purpose of governing large groups of people.” Barry Buzan, Charles Jones, and Richard Little, The Logic of Anarchy: Neorealism to Structural Realism (New York: Columbia University Press, 1993), 35. Even here, characterizing any form of politics as normal will depend on the contextual and subjective biases of the analyst; a Western analyst would describe democratic politics as normal. An analyst who has lived all their lives under authoritarian rule might describe those conditions as normal. The boundary lines for securitizations are thus not fixed or immutable in any case. Waever contends that normal politics is defined as “politics that should be able to unfold according to normal procedures without this extraordinary elevation of specific “threats” to a pre-political immediacy,” which aligns with the threat elevation analysis framework offered in this thesis and is accepted as the functional definition of normal politics hereon. Waever, “Securitisation,” 15.


23

scale situation or conflict. Issues of subjectivity and perception are ongoing challenges to political

theory as a field of research. While it is beyond the scope of this research to fully explore perception

and subjectivity in relation to securitisations, they are recognised contributing factors throughout

this thesis.

Accepting the difficulty of assigning a precise definition of normal politics, for the purposes of

this thesis, normal politics may be understood as the stable continuation of the formal processes

of institutionalised politics; that is, “characterised by widespread pluralism and political

fragmentation.”40 Put simply, when there is no issue beyond the norm that may unite disparate

political groups to securitise an overriding issue. This does not mean that normal politics should

be perceived as a state of peace; simply that beyond the generally accepted or known threats to

security,41 there are no issues that may prompt emergency measures (without unforeseen

catastrophe).

The next several sections present a discussion of the key elements of Copenhagen securitisation

theory herein understood. This serves a dual purpose: in addition to presenting a view of the

current conception of Copenhagen securitisation theory and exploring key concepts relating to

threat analysis, I will use these concepts to establish my own theoretical contribution in later

sections of this thesis. I will examine the elements that securitisation scholars have identified as

crucial to a securitising move: the speech act; the referent object; the existential threat; extreme

necessity; extraordinary measures; the securitising actor; and the relevant audience.

Elements of Securitisation Theory

In this section, I explore seven elements of CST that are crucial to the securitisation framework.

The definition and interplay of these elements dictate how securitisation in any form is interpreted

and applied. As seen in Figure 2 - The Elements of Securitisation Theory, these elements are:

the speech act; the referent object; the existential threat; extreme necessity; extraordinary measures;

the securitising actor; and the relevant audience.

40 Williams (2015), pp. 115-116 41 or risks: for a discussion of riskification see Corry, “Securitisation and ‘Riskification.’”


24

The Speech Act

The defining element of CST is the focus on the speech act, or the way in which security is spoken.

The speech act is the initial securitising move of the/a securitising process, in which an existential

threat to a certain referent object is declared; it is a declarative, illocutionary act.42 According to

John L. Austin,43 the illocutionary act is that which is performed in saying something, so by

declaring something a security threat it becomes a security threat through illocutionary force. The

speech act also services to provide a justification: it is a discursive legitimation that at once

identifies an imminent threat to the referent object in question and offers solutions for threat

mitigation. The performative element of the speech act is important to both its legitimating force

and the securitising process as a whole: securitisation is only successful if it is accepted by the

relevant audience to which the speech act is directed.

The Referent Object

The referent object is the focus or subject of the securitising move. It is the thing, idea or person

that the securitising actor indicates is

42 Buzan, Waever & de Wilde. John Searle, in “A Taxonomy of Illocutionary Acts,” Minnesota Studies in the Philosophy of Science 7 (1975): 26–28; 32–33, considers a commissive illocutionary statement to be one “whose point is to commit the speaker….to some future course of action.” See also Balzacq, “A Theory of Securitization: Origins, Core Assumptions, and Variants,” 4–5. Politicians make commissive illocutionary statements in policies, speeches, and campaign platforms, for example. They are promises to some future action, usually utilised to gain support during a campaign or to score points against a political rival. Declarative illocutionary statements, on the other hand, are a type of performance. The successful performance of a declarative illocutionary act brings about an actual change. “Declarations bring about some alteration in the status or condition of the referred to object or objects solely in virtue of the fact that the declaration has been successfully performed” (“A Taxonomy of Illocutionary Acts,” 358, emphasis added.). Making a successful declaration then is sufficient to bring about a particular change. Assuming this to be the case, there is both enormous risk and enormous responsibility in endowing anybody with the legitimate authority to speak security. 43 J. L. Austin, How to Do Things with Words, 2nd ed (London: Oxford University Press, 1980), 8–15.

The speech act

The referent object

The existential threat

Extreme necessity

Extraordinary measures

The securitising

actorThe relevant

audience

Figure 2 - The Elements of Securitisation Theory


25

a) threatened on an existential level, and

b) must therefore be protected (at all/significant cost if necessary).

For the state there exists many possible referent objects: forward military bases; its own territorial

integrity and/or that of its allies or neighbours; its currency; the members of the executive branch

(in case of crisis), and so on. The list of possible referent objects is extensive. Perhaps the most

important referent object to the state is its own sovereignty, to which the state owes its existence

and legitimacy. In this particular interpretation, the state itself is transformed into the ultimate

referent object, and within securitisation literature, this is often the case.44 Certain territories/lands,

or access to such could also be securitised, as was the case with Diego Garcia.45 An existing

(political) regime such as communism (as a governing political ideology), or capitalism (as a

governing economic policy) could be securitised at the systemic level if the failure of such

threatened the existence of the state. Corporations can securitise certain intellectual property,

particularly if the intellectual property (IP) forms the foundation of the company or part thereof.

Corporations can securitise access to territories and markets, either for sales or manufacturing.

Individuals can also securitise many referent objects; house, jobs, freedoms and liberties.46 As

previously stated, the size and scale or securitisation, and in part the referent object in question,

help to determine the success of the securitising process. Given the subjective aspects of how we

assign value to a given referent object, the success of a securitisation (as will be covered in later

sections) is complex.

The Existential Threat

If the referent object is what must be protected in a securitisation, the existential threat is the other

half of that equation: it is what must be protected against. An existential threat must, by definition,

be real and pressing,47 and pose the sort of danger that would without a doubt affect the continued

existence (in its current form) of the referent object. It is not enough for a high level of incurred

damage to be expected to term a threat existential unless the successful completion of that damage

would then threaten the very existence of the referent object. The existence of a nuclear bomb is

not in itself an existential threat to the state. The explosion of that bomb on state soil such that

the government is destroyed, and the state ceases to exist in its current form is the existential threat.

44 Buzan, Waever, and de Wilde, Security: A New Framework for Analysis, 36; Stritzel, Security in Translation: Securitization Theory and the Localization of Threat, 15. 45 Mark B. Salter and Can E. Mutlu, “Securitisation and Diego Garcia,” Review of International Studies 39, no. 4 (October 2013): 815–34, http://dx.doi.org/10.1017/S0260210512000587. 46 Buzan, Waever, and de Wilde, Security: A New Framework for Analysis, 40. 47 Rita Floyd, “Can Securitization Theory Be Used in Normative Analysis? Towards a Just Securitization Theory,” Security Dialogue 42, no. 4–5 (2011): 430, https://doi.org/10.1177/0967010611418712.


26

In addition, it is also possible for events to be existentially threatening, rather than an actor or an

object. It should be accorded the same gravity and mitigation efforts as active security threats

posed by identified malicious actors, as in the case of armed conflict.

Beyond existential threats of a physical nature, it is also possible to consider a threat existential if

it endangers the current form or conception of the referent object, especially in the case of states. A

secession or coup would represent an existential threat to the current regime, but not necessarily

to the state itself unless significant territory exchange occurred as a direct result, such as if Scotland

successfully seceded from the Kingdom of Great Britain and Northern Ireland, or Quebec from

Canada. In terms of ideologies, rival ideologies can be existentially threatening; throughout the

Cold War, communism was considered an existential threat to democracies and formed an integral

part of the competition between the United States (US) and the Soviet Union (USSR). The

existential threat is the identified problem in a given situation which must be mitigated or guarded

against in order for the referent object to survive. It is the severity of the identified threat that is

used to justify the extraordinary measures for which a securitising actor is advocating or

campaigning.

Extreme Necessity

Another important element of securitisation theory is the existence or state of extreme necessity

required for a successful securitising move. Extreme necessity indicates that the threat is immediate

and pressing, introducing the element of time into the securitising equation. That combination of

extreme necessity and immediacy of requirement for mitigation contributes to the classification of

existential threat. In order to successfully securitise a threat, that threat must be (perceived by the

relevant audience as) immediate, pressing, and requiring certain extraordinary measures to mitigate

due to the extreme necessity of combatting said threat.48 By presenting an existential threat to the

actor in question, extreme necessity can be traded for extraordinary powers to mitigate that threat.

To return to the nuclear bomb example, there must be a real and immediate danger of that bomb

being used in order for this to be considered an extreme necessity. This is the element of

securitisation that troubles issues such as environmental decay and global warming. While they are

pressing issues and may (will) require extraordinary measures to mitigate, they are long term

problems and will rarely attain the levels of extreme necessity by that very nature.49 In the event of

48 Buzan, Waever, and de Wilde, Security: A New Framework for Analysis, 24–26; Stritzel, Security in Translation: Securitization Theory and the Localization of Threat, 15; Williams, “Words, Images, Enemies,” 516. 49 Buzan, Waever, and de Wilde, Security: A New Framework for Analysis, 71–95; Balzacq, Léonard, and Ruzicka, “‘Securitization’ Revisited,” 511–12.


27

an unforeseen natural disaster or other engaging mechanism, that may change, but as a general rule

environmental dangers do not dictate extraordinary measures due to extreme necessity.50

Extraordinary Measures

Extraordinary measures are arguably the most obvious and contentious element of any securitising

process. The elements of a securitisation move, discussed above, must be fulfilled before

extraordinary measures can be approved; without any one of these elements, it is highly unlikely

that the securitisation will be successful. Extraordinary measures are those actions, policies, or

other method of threat mitigation that would ordinarily, in the course of ‘normal’ politics, not be

permitted or considered by the relevant audience. Extraordinary measures by definition would not

be within the ordinary range of means or powers, and once the immediate threat has been mitigated

these extraordinary powers would no longer be within the remit of use. A pre-emptive strike to

forestall the delivery of the nuclear bomb would be an extraordinary measure.

Having identified an existential threat to a given referent object, and qualifying the resort to

extraordinary measures by the extreme necessity of combatting said threat, those extraordinary

measures may be undertaken. For example, whether or not one agrees with the 2003 invasion of

Iraq, preventive warfare is an example of extraordinary measures of threat mitigation following

the identification (correct or otherwise) of an existential treat that has been successfully securitised

before a relevant audience.51 It should be noted that these powers of extraordinary measures ought

to cease once the existential threat has been mitigated, and the state (or other actor) should resume

politics as normal.

50 However, this may change given the droughts being experienced in certain parts of the world, particularly South Africa. Decades earlier than predicted, the South African capital of Johannesburg was expected to run out of water in approximately April of 2018, despite the water rationing implemented by the governing authorities. Water supplies were to be cut off on what authorities referred to as Day Zero, when water reservoirs reached perilously low levels and suburbanites would need to queue for water. Intense management measures like water quotes have managed to stave off Day Zero in an example of anticipated-event elevation. Christian Alexander, “A Year After ‘Day Zero,’ Cape Town’s Drought Is Over, But Water Challenges Remain,” Bloomberg.Com, April 12, 2019, https://www.bloomberg.com/news/articles/2019-04-12/looking-back-on-cape-town-s-drought-and-day-zero; Krista Mahr, “How Cape Town Was Saved from Running out of Water,” the Guardian, May 4, 2018, http://www.theguardian.com/world/2018/may/04/back-from-the-brink-how-cape-town-cracked-its-water-crisis; Craig Welch, “Why Cape Town Is Running Out of Water, and the Cities That Are Next,” Science, March 5, 2018, https://www.nationalgeographic.com/science/article/cape-town-running-out-of-water-drought-taps-shutoff-other-cities. 51 Preventive warfare should not be confused with pre-emptive warfare. Pre-emptive warfare is undertaken in response to an identified threat or adversary, which can be credibly believed to be planning an attack in the immediate or near future. Preventive warfare is somewhat less legitimate and more morally contentious. It is undertaken in order to prevent a security concern or adversary from attacking in the future, hypothetically removing their ability or desire to do so. Colin S. Gray, The Implications of Preemptive and Preventive War Doctrines: A Reconsideration (Carlisle Barracks, PA: Strategic Studies Institute, U.S. Army War College, 2007), v–x.


28

The Securitising Actor

The securitising actor initiates the securitisation process. The securitising actor is someone who is

either an authorised agent, who can legitimately speak to security concerns, or someone who a

relevant audience perceives as having that authority.52 In other words, the agent must be powerful

enough or possessed of the right to speak (about security) for a certain body. Representatives of

the state such as government leaders and other political elites can ‘speak security’ (perform

discursive legitimation) for the state, depending on their (hierarchical) position and sphere of

influence. The state itself cannot be a securitising actor, only the referent object or indeed the

existential threat. Corporate actors, security officers or those in governing positions are usually

considered authoritative actors who may speak security for that collective. For political parties,

indigenous groups and other organised collectives, there is usually an elected or appointed leader

who is able to speak security for that collective. Regardless of the collective in question, the

securitising actor starts the securitisation process by identifying, usually verbally (according to the

Copenhagen School), an existential threat, claiming extraordinary measures will be necessary to

mitigate that threat, and justifying that process in front of a relevant audience.53 It is assumed that

the actor will have sufficient influence and enough authority over the relevant audience to make

successful securitisation possible.

Legitimate Authority

Legitimate authority is a term strongly tethered to the theory (or tradition) of Just War. According

to the Just War tradition, which is used primarily following a conflict to judge whether or not the

conflict was entered into and pursued in a just manner, one of the primary requirements for any

conflict to be just is that it was recognised by a legitimate authority.54 In the international

community, there are few entities that have the authority to judge whether or not a state has been

pursuing a just war (or conflict), or to decide whether a conflict has been just all things considered.

It could be argued that the United Nations is the only such authority, particularly considering the

Chapter 7 requirements of notice to the Security Council, accession to Security Council directives,

and the Charter of the United Nations giving the Security Council the authority to preside over

52 Buzan, Waever, and de Wilde, Security: A New Framework for Analysis, 40–45. Note that legitimate authority is a contentious space, as is audience perception of where and with whom legitimate authority lies. I discuss actors with legitimate authority further in the next section as well as in chapter three, and the importance of audiences to CCI is considered throughout chapters four-six. 53 Buzan, Waever, and de Wilde, 40–45. 54 Howard M. Hensel, “Christian Belief and Western Just War Thought,” in The Prism of Just War: Asian and Western Perspectives on the Legitimate Use of Military Force, ed. Howard M. Hensel, Justice, International Law and Global Security (Farnham: Ashgate Publishing Limited, 2010), 42–44; James Turner Johnson, “Thinking Morally about War in the Middle Ages and Today,” in Ethics, Nationalism, and Just War: Medieval and Contemporary Perspectives, ed. Henrik Syse and Gregory M. Reichberg (Washington, D.C.: The Catholic University of America Press, 2007), 4–5.


29

the relative ‘justness’ of international conflict.55 Nothing in the Charter prevents the use of force

in self-defence, but the Charter and in fact the Just War tradition have in place certain elements,

or variables, that must be considered and/or employed when entering into conflict. While it is not

within the scope of this thesis to examine the tenets of the Just War tradition, the concept of

legitimate authority has bled into many contemporary theories of warfare and of security, and as

such has a special place in the analytic toolbox of any political scientist. Cecile Fabre considers

legitimate authority a crucial element of the Just War tradition, and defines legitimate authority as

applying “to the right to wage war”; as in, which actors have the right to declare and make war

upon another party.56

In terms of the securitisation framework, both traditional and as offered in this thesis, a type of

legitimate authority is required in order to properly securitise a political concern into a security

threat. I do not intend to offer a definition of legitimate authority; it is not within the scope of this

research. However, for an actor to undertake the securitising process, it must be acknowledged

that they have the authority to do so; that is to say, if an actor is to speak security to a relevant

audience then that audience must in the first instance believe that they have a credible right to do

so. The Prime Minister of Canada, for example, is easily accepted as a securitising actor because

the security of the state is well within his jurisdiction. The second assistant to the junior

undersecretary of education, while fulfilling an important function within the Ministry of

Education, is not likely to be accepted as a legitimate authority in a securitising process because

the security of the state is not within his jurisdiction. That is not to say that the second assistant

cannot securitise an issue within his jurisdiction; simply that legitimate authority in any situation is

contextually relevant, and particularly at the state level must be commensurate with the nature and

danger level of the perceived security concern. In this respect, whether or not the securitising actor

is considered to have legitimate authority is also dependent on how that actor is perceived by the

relevant audience before which he performs his securitising move(s). In short, the securitising

actor must have the authority to legitimately securitise an issue before the relevant audience.

55 Alex Conte, Security in the 21st Century : The United Nations, Afghanistan and Iraq (New York: Routledge, 2006), 13–15; 127–28; 187–89, https://doi.org/10.4324/9781351149563. 56 Cecile Fabre, “Cosmopolitanism, Just War Theory and Legitimate Authority,” International Affairs 84, no. 5 (September 1, 2008): 963, https://doi.org/10.1111/j.1468-2346.2008.00749.x.


30

Relevant Audience

The relevant audience comprises the parties before whom the securitising actor must engage in

the performative act of securitising a given threat.57 In democratic states, the relevant audience

more often than not is the general public, the support of which is necessary for any extraordinary

measure to be undertaken successfully. This is, essentially, a performance: the securitising actor

needs to convince the audience that a threat exists; that the aforementioned threat is existential in

nature; that the threat requires extraordinary measures to mitigate; and that the immediate and

pressing nature of the threat, i.e., the extreme necessity, justifies whatever additional powers are

being requested by the securitising actor. In a non-democratic regime, the relevant audience need

only amount to whatever political or military leaders there may be. In an authoritarian regime, the

relevant audience may only amount to the securitising actor alone. The nature of the relevant

audience is subject to the nature of the political system, and also to the nature of the threat and

the referent object.

The relative success an actor will enjoy when convincing the relevant audience of a threat will also

depend heavily on the “psycho-cultural orientation of the audience.”58 The historical relationship

between the attitude of the audience and a certain referent object, in addition to the historical

record of agreement with extraordinary measures or powers, will also play a part in the (expected)

success of a securitising move. An interesting point made by Myriam Dunn Cavelty is the existence

of what she calls ‘linguistic reservoirs’.59 Essentially, these reservoirs are stock phrases, specific

vocabulary and threat images that invoke a particular sentiment in the target audience. When

considering securitisation, or just security in general, there are a number of identifiable words and

phrases that are likely to add weight to your statements and also draw audience support or consent

for your position. Some are fairly explicit; invoking “national security”, for example, will quickly

draw attention to the issue you are attempting to securitise. When referring to the dangers of

cyberspace, hinting at or outright mentioning the possibility of a “cyber Pearl Harbour” or “digital

Pearl Harbour” (in the US particularly) immediately infers a threat to peace and security.60 Linking

a painful cultural and/or historical event with a contemporary threat allows (encourages) the

audience to draw parallels between the two, and if done correctly will attach similar sentiments to

57 Buzan, Waever, and de Wilde, Security: A New Framework for Analysis, 40–42; Stritzel, Security in Translation: Securitization Theory and the Localization of Threat, 13, 22. 58 Balzacq, “The Three Faces of Securitization,” 172. 59 Dunn Cavelty, “From Cyber-Bombs to Political Fallout,” 108–10. 60 Elisabeth Bumiller and Thom Shanker, “Panetta Warns of Dire Threat of Cyberattack on U.S.,” The New York Times, October 12, 2012, sec. World, https://www.nytimes.com/2012/10/12/world/panetta-warns-of-dire-threat-of-cyberattack.html; Robert Windrem, “Pentagon and Hackers in ‘Cyberwar,’” ZDNet, March 5, 1999, https://www.zdnet.com/article/pentagon-and-hackers-in-cyberwar/.


31

the current security threat as are attached to the historic event. Using a culturally sensitive event

to perpetuate threat perceptions using existing words and phrases from a linguistic reservoir lends

a gravity to the securitisation that, all things considered, it may not otherwise obtain short of

immediate and overwhelming disaster.61

The relationship between the audience and the securitisation is not complete upon the approval

(or rejection) of the claim to extraordinary measures. As Thierry Balzacq notes,62 audience consent

is inextricably linked to the legitimacy of any security policy or practice, and just as that consent is

provided, it may also be revoked at any time. This would render said policy or practice less

legitimate, or illegitimate altogether. According to Balzacq, the sum legitimacy of an actor or policy

is comprised of three elements: its legality, its justification, and the aforementioned (ongoing)

consent of the audience.63 Concerning the link between legitimacy and legality, Balzacq notes that

security practices are in part legitimised by conforming, or appearing to conform, to the legal rules

of a given political system.64 In line with claims of legality of a practice, the success of any actor’s

justificatory claim depends, to a large extent, on the leaders’ ability to persuade the audience that

security practices contribute in a credible way to the achievement of society’s values.65

According to the persuasiveness of the justificatory claim and the perceived legality of a suggested

security practice or policy, the relevant audience will then either give or deny consent to

extraordinary measures. Consent is a necessary condition for legitimacy; it introduces duties (upon

the audience) to comply with the policies developed by the securitising actor, who by virtue of that

consent has the right to pursue that policy or practice under the general expectation that their (the

audience’s) security will be increased as a direct result of said policy or practice.66

Following the implementation of extraordinary measures, audience consent is continuously

required for those measures, or they could be subject to three possible ends: (a) a deficit of

legitimacy; (b) the de-legitimation of the practice or policy, or; (c) the ultimate illegitimacy of the

61 Linguistic reservoirs are by no means limited to those who speak security, though for the purposes of this thesis are relatively simple to identify. Beyond words and phrases explicitly associated with the securitizing process, it is also important to take into account the growing societal dependence on, relationship with, and interactions through images. Images with a particular cultural resonance, such as those taken of the burning Twin Towers, can also aid a securitization. See Figure 4 - Photo: Robert Clark, Associated Press, 2001 62 Balzacq, “Legitimacy and the ‘Logic’ of Security,” 6–8; Balzacq, “Securitization Theory,” 346. 63 Balzacq, “Legitimacy and the ‘Logic’ of Security,” 6–8; Balzacq, “Securitization Theory,” 344. 64 Balzacq, “Securitization Theory,” 344–45. 65 Balzacq, “Legitimacy and the ‘Logic’ of Security,” 6; Balzacq, “Securitization Theory,” 345–46. 66 Balzacq, “Legitimacy and the ‘Logic’ of Security,” 7; Balzacq, “Securitization Theory,” 346.


32

practice or policy.67 A deficit of legitimacy occurs upon the weakening, among the audience, of the

shared beliefs that initially justified the extraordinary measures. De-legitimation occurs when there

has been a demonstrable erosion of the consent that sustains extraordinary measures, and a

practice or policy will be found illegitimate if audience consent is totally and demonstrably

withdrawn, or if it is ultimately decided that its pursuit abrogates the legal order of a given political

system. It should be noted that while a policy or practice may be properly legal in a domestic sense,

it may be found to abrogate international law or vice versa, and thus be considered illegitimate.68

There are several questions that must be considered when examining a securitising process, and

CST as a whole. When considering the legitimacy of a securitising process in particular, it is

important to question whether the legitimacy of a security policy or practice depends on the

individual legitimacy of the constitutive elements (i.e., the securitising actor; the reference object;

the justification, etc.). More specifically, does the legitimacy of the overall action plan override the

potentially illegitimate nature of one or more of any of these elements? Further, is there a measure

for the level of consent that is required for a policy or practice (extraordinary measures), and thus

a securitisation process, to be legitimate (and successful)? While the notion of legitimacy may seem

a uniquely academic concern, the perceived legitimacy of any party trying to induce a particular

action or effect will always affect the audience’s response. In terms of a securitisation, it must be

acknowledged that for a policy-maker or government representative to successfully securitise an

issue, they must first convince the audience they have the legitimate right to do so.69 Whilst it is beyond

the scope of this thesis to fully explore each of these questions, they nonetheless represent an

influence on the design and application of securitisation theory in any form.

As will be discussed in later sections of this thesis, the audience is crucial to the understanding and

implementation of CCI. Cyberspace multiplies the attack surface that is vulnerable to hostile

actors, and therefore the surface that the state needs to secure. Individuals participate en masse in

cyberspace, and so represent a threat vector (if exploited for adversarial gain) and a vulnerability.

If a significant portion of the population fails to engage in CCI and security practices, the aggregate

security of the state is likely to be negatively impacted. The audience must therefore be convinced

67 Balzacq, “Legitimacy and the ‘Logic’ of Security,” 8; Holger Stritzel and Sean C Chang, “Securitization and Counter-Securitization in Afghanistan,” Security Dialogue 46, no. 6 (December 1, 2015): 552–53, https://doi.org/10.1177/0967010615588725. 68 Balzacq, “Legitimacy and the ‘Logic’ of Security,” 8. 69 For example, a president or prime minister would presumably have a greater legitimate authority to speak security than a deputy undersecretary for employment or transport. While these portfolios are certainly a matter of nation interest, it is unlikely that they will present an existential threat to the state such that if left unmitigated the state may otherwise cease to exist in its current form.


33

of the necessity of engaging in these practices. In order to achieve this, the state must recognise

the audience as a vulnerability and design risk management measures; this will be discussed in-

depth in chapter six.

The Sectors of Security

One of the major intentions of CST is to widen the field of security studies beyond the traditional

focus on the military sector, and the traditional referent object of the state.70 Securitisation theory

recognises five key sectors on which security studies should focus, illustrated in Figure 3 - The

Sectors of Security: the military sector; the environmental sector; the economic sector; the

societal sector; and the political sector.71 While these sectors can be analytically separate fields, CST

recognises that security concerns can have an impact on or be influenced by multiples sectors

simultaneously;72 consequently, security issues are not and should not be viewed as sector-

exclusive. The following sections will address each of these security sectors separately, and then

consider the effects of cyberspace as a potential sixth sector, or as a functional pathway between

traditional sectors.73

70 Buzan, Waever, and de Wilde, Security: A New Framework for Analysis, 1–5. 71 Buzan, Waever, and de Wilde, 7–8; 49–162. 72 Buzan, Waever, and de Wilde, 8. 73 Sectoral analysis is not unique to Copenhagen securitisation theory – it also features heavily in regional security complex theory (RSCT). An in-depth analytic comparison is beyond the scope of this thesis, but for scholarship around RSCT see Barry Buzan, “The Logic of Regional Security in the Post-Cold War World,” in The New Regionalism and the Future of Security and Development: Volume 4, ed. Björn Hettne, András Inotai, and Osvaldo Sunkel, The New Regionalism (London: Palgrave Macmillan UK, 2000), 1–25, https://doi.org/10.1007/978-1-137-11498-3_1; Buzan, “Regional Security Complex Theory in the Post-Cold War World”; David A. Lake and Patrick M. Morgan, Regional Orders: Building Security in a New World (University Park: Penn State Press, 2010); Lubna Sunawar, “Regional Security Complex Theory: A Case Study of Afghanistan-Testing the Alliance,” Journal of Security and Strategic Analyses 4, no. 2 (Winter 2018): 53–78.

Military Environmental Economic

Societal Political Cyber

Figure 3 - The Sectors of Security


34

Military

The military sector, as the traditional focus of the security studies discipline, is the most widely

researched of the identified sectors in relation to security issues. It is also the most likely sector in

which the securitisation process can be considered highly institutionalised.74 Given the prevailing

conditions of anarchy in modern international history,75 the focus on military security and the

likelihood of military response to perceived threats has been high. With the increasing level of

globalisation and diversification of interdependent networks, it has been argued that it is time to

move beyond singularly militaristic views of security, both in terms of threat conceptions and

threat response.76 Despite critics’ claims that securitisation scholars’ focus remains, by and large,

on the military sector, securitisation has contributed to the broadening of the academic field.77

The sovereign state remains the most important referent object in the military sector, though not

the sole one.78 Generally speaking, the primary securitising actors are the political or military elites

of a state,79 though changing social structures may see the transformation of this presumption.

Military security agendas can usually be linked, in one form or another, to issues of state

sovereignty and the associated use of force to which the state has sole legitimate claim. 80According

to Buzan, Waever and de Wilde,81 “(m)ilitary security matters arise primarily out of the internal and

external processes by which human communities establish and maintain (or fail to maintain)

machineries of government.” While traditionally military security matters concerned the use of

force internally and/or external to the state, non-state actors are also a concern, as are rival

ideologies and issues such as (the control of) mass migration. This has consequences for our

understanding of threats to sovereignty, but also as relating to the function of the military apparatus

in the modern state. If the military is increasingly required to perform policing duties, or police

74 Buzan, Jones, and Little, The Logic of Anarchy: Neorealism to Structural Realism, 49. 75 Anarchy in the political sense refers to an international system of States for which there is no governing authority. As such, each States must constantly act for its own self-interest and security. According to Kenneth Waltz, “with many sovereign states, with no system of law enforceable among them, with each state judging its grievances and ambitions according to the dictates of its own reason or desire – conflict, sometimes leading to war, is bound to occur.” Kenneth W. Waltz, Man the State and War: A Theoretical Analysis, 2nd ed. (New York: Columbia University Press, 2001), 159. Consequently, “in anarchy there is no automatic harmony…A state will use force to attain its goals if, after assessing the prospects for success, it values those goals more than it values the pleasures of peace. Because each state is the final judge of its own course, any state may at any time use force to implement its policies. Because any state may at any time use force, all states must constantly be ready either to counter force with force or to pay the cost of weakness.” Waltz, 160. 76 Buzan, Waever, and de Wilde, Security: A New Framework for Analysis, 3–5. 77 Balzacq, Léonard, and Ruzicka, “‘Securitization’ Revisited”; Nyman, “Securitization Theory,” 59–61; Williams, “Words, Images, Enemies.” 78 The referent object of a particular sector or securitizing move is whatever object has been designated in need of protection. Referent objects will be further examined in a later section of this thesis. 79 Buzan, Waever, and de Wilde, Security: A New Framework for Analysis, 40. 80 Buzan, Waever, and de Wilde, 49–70. 81 Buzan, Waever, and de Wilde, 50.


35

forces are required to act in an increasingly militarised fashion, then both bodies have undergone

and/or will undergo a paradigm shift in terms of the relationship between civil society and armed

forces.82

Environmental

Concern surrounding the environmental sector is comparatively new in both academic and

political discourse. Those who would securitise the environment correlate a decline in

environmental health and stability to the decline of same for the human race.83 More frequently in

recent years, pro-environment actors have succeeded in bringing issues concerning environmental

degradation to the global stage.84 What these actors have not succeeded in doing, however, is

convincing their audiences (not just the public, but policymakers in this instance) of the gravity of

the threat of environmental degradation: they have been unable to fully legitimise the claim of

existential threat that is required of a securitisation. Given the history of attempted securitisation

though, and the lack of immediacy that might defines an existential threat, there are grounds for a

claim of threat elevation in environmental issues. Threat elevation analysis will be articulated and

developed in chapter three.

Actors who would securitise the environment vary widely: state leaders, other politicians, activist

groups and influential celebrities have all contributed to the growing mediatisation of

82 See articles on the transfer of military technology and weapons to police forces in the US; see articles on the use of military forces in domestic counterterrorism in Europe. Charles J. Dunlap, Jr., “The Police-Ization of the Military,” Journal of Political and Military Sociology 27 (1999): 217–32; Timothy Edmunds, “What Are Armed Forces For? The Changing Nature of Military Roles in Europe,” International Affairs (Royal Institute of International Affairs 1944-) 82, no. 6 (2006): 1059–75; Human Rights Watch, “Transfer of Military Hardware to Police Could Lead to Abuses,” Human Rights Watch, August 30, 2017, https://www.hrw.org/news/2017/08/30/transfer-military-hardware-police-could-lead-abuses; Nathaniel Lee, “How Police Militarization Became an over $5 Billion Business Coveted by the Defense Industry,” CNBC, July 9, 2020, https://www.cnbc.com/2020/07/09/why-police-pay-nothing-for-military-equipment.html; Craig E. Merutka, “Use of the Armed Forces for Domestic Law Enforcement:” (Fort Belvoir, VA: Defense Technical Information Center, March 1, 2013), https://doi.org/10.21236/ADA589451; Tom Nolan, “Militarization Has Fostered a Policing Culture That Sets up Protesters as ‘the Enemy,’” The Conversation, June 2, 2020, http://theconversation.com/militarization-has-fostered-a-policing-culture-that-sets-up-protesters-as-the-enemy-139727; K. Jack Riley and Aaron C. Davenport, “How to Reform Military Gear Transfers to Police,” RAND Corporation, July 13, 2020, https://www.rand.org/blog/2020/07/how-to-reform-military-gear-transfers-to-police.html; Hugh Smith, “The Use of Armed Forces in Law Enforcement: Legal, Constitutional and Political Issues in Australia,” Australian Journal of Political Science 33, no. 2 (July 1998): 219–33, https://doi.org/10.1080/10361149850624. 83 Buzan, Waever, and de Wilde, Security: A New Framework for Analysis, 79–80. 84 Jon Barnett, The Meaning of Environmental Security: Ecological Politics and Policy in the New Security Era (London: Zed Books, 2001); Niloy Biswas, “Is the Environment a Security Threat? Environmental Security beyond Securitization,” International Affairs Review 20, no. 1 (2011): 1–22; David Goldberg, “Lessons from Standing Rock - Of Water, Racism, and Solidarity,” The New England Journal of Medicine 384, no. 14 (2017): 1403–5; Temryss MacLean Lane, “The Frontline of Refusal: Indigenous Women Warriors of Standing Rock,” International Journal of Qualitative Studies in Education 31, no. 3 (March 16, 2018): 197–214, https://doi.org/10.1080/09518398.2017.1401151; Norman Myers, “Environment and Security,” Foreign Policy, no. 74 (1989): 23–41, https://doi.org/10.2307/1148850.


36

environmental issues.85 It could also be argued that this securitisation has been met with some

success; accords and environmental protection treaties have been struck between states, a recent

example being the activation of the Paris Accords on November 4, 2016 following ratification by

the European Union (EU), Canada, Nepal, and India.86 These ratifications brought the Paris

Accords over the required threshold for activation, and aim to make certain requirements of states

in order to mitigate environmental damage.87 Certain arguments have been made that, in the

absence of imminent threat (meteor, super-quake, etc.) to the human race that the environment

has been ‘riskified’ rather than securitised,88 and this involves risk management rather than

reversion to extraordinary measures. While this is a coherent argument, a number of scientific

experts are (rather stridently) confirming that we as a race are tipping the global environmental

balance past what the Earth can conceivably support or recover from,89 and in this instance a

securitisation may be a better-supported process than a riskification. It could be argued that the

actions taken by individuals, organised groups and states over the last twenty years in response to

environmental concerns were the requisite period of riskification of a perceived threat, and that

we have now (necessarily) moved on to the subsequent securitising process.

When an issue is riskified rather than securitised, it is framed as less than existentially threatening;

the issue is positioned as a risk that should/can be managed within a certain framework. By nature,

85 Molly Beauchemin, “17 Celebrities Who Actively Work to Protect the Environment,” Garden Collage Magazine, November 8, 2017, https://gardencollage.com/change/climate-change/celebrities-care-environment-want-know/; Wane Buente and Chamil Rathnayake, “#WeAreMaunaKea: Celebrity Involvement in a Protest Movement,” in IConference 2016 Proceedings (iConference 2016: Partnership with Society, Philadelphia, USA: iSchools, 2016), https://doi.org/10.9776/16311; Geoffrey Craig, “Celebrities and Environmental Activism,” in Media, Sustainability and Everyday Life, by Geoffrey Craig, Palgrave Studies in Media and Environmental Communication (London: Palgrave Macmillan UK, 2019), 135–63, https://doi.org/10.1057/978-1-137-53469-9_6; Julie Doyle, Nathan Farrell, and Michael K. Goodman, “Celebrities and Climate Change,” Oxford Research Encyclopedia of Climate Science, September 26, 2017, https://doi.org/10.1093/acrefore/9780190228620.013.596; Ranker, “22 Celebs Who Are Saving the Environment,” Ranker, May 31, 2019, https://www.ranker.com/list/celebrity-environmentalists/celebrity-lists. 86 United Nations, “Paris Agreement - Status of Ratification,” United Nations Climate Change, 2016, https://unfccc.int/process/the-paris-agreement/status-of-ratification. 87 Oliver Milman, “Paris Climate Deal a ‘turning Point’ in Global Warming Fight, Obama Says,” the Guardian, October 5, 2016, http://www.theguardian.com/environment/2016/oct/05/obama-paris-climate-deal-ratification. 88 Buzan, Waever, and de Wilde, Security: A New Framework for Analysis, 79–80; Corry, “Securitisation and ‘Riskification.’” 89 Stephen Leahy, “Climate Change Driving Entire Planet to Dangerous ’global Tipping Point‘,” Science, November 27, 2019, https://www.nationalgeographic.com/science/article/earth-tipping-point; Timothy M. Lenton et al., “Climate Tipping Points — Too Risky to Bet Against,” Nature 575, no. 7784 (November 2019): 592–95, https://doi.org/10.1038/d41586-019-03595-0; Michael Marshall, “The Tipping Points at the Heart of the Climate Crisis,” the Guardian, September 19, 2020, http://www.theguardian.com/science/2020/sep/19/the-tipping-points-at-the-heart-of-the-climate-crisis; Oliver Milman, “James Hansen, Father of Climate Change Awareness, Calls Paris Talks ‘a Fraud,’” the Guardian, December 12, 2015, http://www.theguardian.com/environment/2015/dec/12/james-hansen-climate-change-paris-talks-fraud; Fred Pearce, “As Climate Change Worsens, A Cascade of Tipping Points Looms,” Yale E360, December 5, 2019, https://e360.yale.edu/features/as-climate-changes-worsens-a-cascade-of-tipping-points-looms.


37

a risk has the potential to become a threat but if managed properly, that potential can be mitigated.

By riskifying an issue rather than securitising it, actors can reduce the negative public impact

sometimes associated with the use of extraordinary measures, and avoid the necessity of those

extraordinary measures that threat mitigation requires in an existential crisis. Given the socially

accepted permanency of the environment and the lack of immediate perceivable threat to humanity

emanating from environmental degradation, then a securitisation may not be possible. This is not

to say that securitisation should not take place; merely that there may not be the political will to

expend the social, political, and economic capital required to securitise the environment. The

context is not extraordinary and so does not recognise special circumstances that require extra

powers of threat mitigation. In the event that the political context of environmental degradation

rises above and out of the ordinary, then arguments could be made for a securitising process with

a reasonable chance of success.

Regardless of classification, the environmental sector is considered a crucial field of security

studies.90 Given recent political practice, and the dangers of an unstable environment, this is rather

pragmatic. The environmental sector is also one of the broadest sectors, comprised of both a

political and a scientific agenda that span a diverse array of security concerns, including: the

disruption or degradation of ecosystems; energy concerns; population growth; food production;

economic concerns; and civil strife.91 These factors also contribute to global disease outbreak,

pandemic or epidemic, and control, which would severely threaten the security of a state if

sufficiently severe.

Environmental concerns are also, arguably, among the most difficult to solve given that solutions

must, by their nature, force a change in human behaviour on a global scale. Buzan, Waever and de

Wilde also take the time to point out that the environment can only be securitised insofar as the

human race (or some facet of human organisation/community) is the referent object of the

existential threat.92 Short of a literal planet-destroying threat, what takes place in the crust of the

Earth is unlikely to endanger the existence of the planet itself. As such, for a successful

environmental securitisation to occur, we as a race must be existentially (and near-immediately)

threatened.

90 Buzan, Waever, and de Wilde, Security: A New Framework for Analysis, 71–94. 91 Buzan, Waever, and de Wilde, 73–75. 92 Buzan, Waever, and de Wilde, 76.


38

Economic

The third security sector identified by CST is that of the economy. Economic security is a

controversial area of security studies, given the inherently insecure nature of the current

international economic system (liberal capitalism), and the heavy politicisation of economic

issues.93 Within the current system, Buzan Waever and de Wilde identify instability and inequality

as being the foci of economic security agendas.94 As the international economy is susceptible to

systemic crises, such as the 2008 Global Financial Crisis (GFC),95 the economic sector is

securitisable under the right conditions. Five issues are identified in Security: A New Framework for

Analysis96 as belonging to the economic security agenda:

a) The ability of an economy to support independent military mobilisation should the

need arise

b) Resistance to/ability to absorb market instability for resources such as oil

(economic dependencies)

c) Whether or not existing conditions will increase global inequality

d) The pressures of industrialisation on both international trade and the environment

e) International economic crisis in the case of insufficient political leadership,

protectionist trade policies, and/or an unstable global financial system.

Stable conditions in the international system are thus crucial to economic security, but also

something that are inherently impossible to either predict or ensure. States can (and do) take certain

measures intended to support international economic stability and security, but history has proven

true stability an improbable likelihood. For example, increasing automation of global financial and

stock markets also add a margin of risk to economic stability – algorithms can trade at unbelievable

speed and, without oversight, can cause enormous losses in mere seconds.97

As with all identified security sectors, the specific nature of an existential economic threat depends

entirely on the referent object in question. Generally speaking, while individuals and firms can

pose security economic threats at sub-state levels, the state has the greatest capacity for economic

securitisation. An existential economic threat to the state will have trickle-down effects for all

93 Buzan, Waever, and de Wilde, 95–118. 94 Buzan, Waever, and de Wilde, 95–118. 95 Reserve Bank of Australia, “The Global Financial Crisis | Explainer | Education,” Reserve Bank of Australia, April 17, 2019, Australia, https://www.rba.gov.au/education/resources/explainers/the-global-financial-crisis.html. 96 Buzan, Waever, and de Wilde, Security: A New Framework for Analysis, 98. 97 Corporate Finance Institute, “Flash Crashes - Overview, Causes, and Past Examples,” Corporate Finance Institute, 2021, https://corporatefinanceinstitute.com/resources/knowledge/finance/flash-crashes/; Ben Hammersley, Approaching the Future: 64 Things You Need to Know Now for Then (Soft Skull Press, 2013), 151–52; 344–45.


39

actors within that state, and very likely on all states with whom the threatened party has a

relationship.98 However, modern states, for the most part, are peculiarly immune to threats that

would be existential to other actors in the economic sector. The continued existence of certain

states (particularly developed ones that participate fully in the international economic and political

systems) is in the interest of the existing international system.99 As seen with Greece in recent

years, it is highly unlikely that a modern economy in the current international systems will be allowed

to fail.100 Given the inherent difficulties and diverse concerns in the economic sector, economic

securitisation is a challenging proposition.

Societal

The societal sector is arguably the sector furthest removed from traditional security studies. The

societal sector primarily concerns issues of identity. Communities, or societies, form and maintain

identities removed from their membership to a particular state.101 In certain communities, societal

boundaries are not coterminous with state boundaries, and so the societal security of one

community may involve many states and jurisdictions. One example of this situation would be the

Kurdish society, covering territory in several Middle Eastern states.102 Another example would be

the Palestinian nation.103 Buzan, Waever and de Wilde point out the importance of differentiating

between social security concerns and societal security concerns.104 Where social security refers

primarily to the individual and their economic concerns, societal security is “about collectives and

their identity.”105 There are ambiguities surrounding terms such as ‘societal’, and the associated

concept of a ‘nation’. For Buzan, Waever and de Wilde this can be ascribed to the peculiarly self-

constructed community, as it derives its existence from the self-association of individuals to an

imagined collective.106

98 Buzan, Waever, and de Wilde, Security: A New Framework for Analysis, 104. 99 Failed or failing States, or States experiencing significant civil unrest can have an economic impact on neighbouring States, the general region, and the international system at large. Because the economy is tied to political and social security, an unstable or deficient economy can produce further security concerns such as piracy; kidnapping; and general disorder as individuals begin to act in a self-interested and survivalist manner. 100 Council on Foreign Relations, “Greece’s Debt Crisis Timeline,” Council on Foreign Relations, 2021, https://www.cfr.org/timeline/greeces-debt-crisis-timeline. 101 Buzan, Waever, and de Wilde, Security: A New Framework for Analysis, 119–21. 102 Buzan, Waever, and de Wilde, 132–33; The Kurdish Project, “Where Is Kurdistan?,” The Kurdish Project (blog), 2021, https://thekurdishproject.org/kurdistan-map/. 103 Technically, the Palestinians have specified territory but it is not a state and the Palestinians themselves are widespread. United Nations, “History of the Question of Palestine,” Question of Palestine (blog), March 19, 2020, https://www.un.org/unispal/history/. 104 Buzan, Waever, and de Wilde, Security: A New Framework for Analysis, 119–20. 105 Buzan, Waever, and de Wilde, 120. 106 Buzan, Waever, and de Wilde, 120–21.


40

Buzan, Waever and de Wilde identify three primary areas of concern to the societal security agenda:

migration; horizontal competition; and vertical competition.107 When referring to the migration

concern, they refer to the cultural transformation of the receiving community as a result of

migration. Thus, identity shifts are a direct threat to extant societal identity. Horizontal competition is

herein understood as the cultural transformation of one society or community due to direct

influence of a proximate, dominant culture. In contrast, vertical competition refers to the way an

individual may view their own cultural identity due to either a centripetal or centrifugal cultural

shift; that is, whether they perceive a wider or narrower societal identity.108

In addition to these three primary societal concerns, depopulation is a possible fourth one as it

contributes to a loss of perceived identity. However, unless the depopulation threatens the

breakdown of society at large (such as in an ethnic cleansing), issues created by depopulation

should fall within the bounds of the three overarching issues identified above.109 In the case of

ethnic cleansing, a minimum of three sectors are involved: military, societal, and political.

Political

The fifth and final sector examined by CST is the political one, which concerns “the organisational

stability of social order(s).”110 In addition to non-military threats to political units, system-level

concerns are also possible referent objects in the political sector; Buzan et al. offer international

law as a political referent object, for example. 111 The political sector is also where (normative)

principles such as human rights, or potential human rights, can be securitised.112 Due to the broad

and diverse nature of what can be considered a political threat, and admitting that all security

concerns are political to some degree, the political sector security agenda is paradoxical and

problematic to deal with. At risk of incoherency, security threats that involve “military,

identificational, economic or environmental means are necessarily excluded from this sector.”113

107 Buzan, Waever, and de Wilde, 121. 108 Buzan, Waever, and de Wilde, 121. 109 Buzan, Waever, and de Wilde, 121. 110 Buzan, Waever, and de Wilde, 121. 111 Buzan, Waever, and de Wilde, 121. 112 While some human rights are considered a settled matter both normatively and legally (those enshrined in the Universal Declaration of Human Rights (UDHR)), such as freedom or religion or the right to necessities of life, human rights issues continue to develop. For example, Estonia has declared Internet access to be an unassailable human right. This is not a widespread view, but the fact remains that it is a recent development in the human rights dialogue. And in an increasingly digital-dependent, technologised society, it is possible that the right of access to the Internet will be adopted in other States Estonia one day may be considered the vanguard of a digital rights movement. M. Lesk, “The New Front Line: Estonia under Cyberassault,” IEEE Security Privacy 5, no. 4 (July 2007): 76–79, https://doi.org/10.1109/MSP.2007.98; Visit Estonia, “E-Estonia | Why Estonia?,” Visitestonia.com, 2021, https://www.visitestonia.com/en/why-estonia/estonia-is-a-digital-society. 113 Buzan, Waever, and de Wilde, Security: A New Framework for Analysis, 121.


41

As such, the security agenda of the political sector is composed of those issues which are

predominantly political in character.114

Political threats are those seen to disrupt or destabilise the organisational stability of the state. That

is to say, a political threat may involve something like a secessionist movement, which would

destabilise the existing state. It could be the targeting of a particular policy, or the total overthrow

of an existing political regime.115 According to Buzan et al., 116 “political threats are about giving or

denying recognition, support, or legitimacy.”117 These threats concern not just political actors such

as states, but also the institutions and processes involved in politics, assuming politics to be “the

shaping of human behaviour for the purpose of governing large groups of people.118

In addition to the modern territorial/sovereign state, three further referent objects of the political

sector are identified as quasi-super states (for example, the EU); organised societal groups (such

as tribes); and transnational movements (such as the major religions, or ideological movements

like communism).119 Due to the organised and often hierarchical nature that such actors

characteristically possess, the securitising actors are also usually well-defined. Each of the

aforementioned actors have leaders, institutional processes, or other authorised representatives

that may speak security on behalf of the collective.

The Cyber Sector

Having identified the traditional sectors across which CST analyses security, I now briefly consider

the cyber sector – is this a new sector of security, further widening the analytical field as Buzan et

al. intended? Or is cyberspace simply a pathway that connects the traditional sectors of security in

new or faster ways, introducing a variety of security issues which are nonetheless bounded in

traditional fields? This is an area which the current thesis is not specifically designed to address;

however, in examining the ways in which cyberspace is elevated as a threat to security, it may be

114 Buzan, Waever, and de Wilde, 142. 115 Buzan, Waever, and de Wilde, 142. 116 Buzan, Waever, and de Wilde, 142. 117 One example in which both provision and acceptance of legitimacy posing a political threat is the case of Taiwan. By refusing to recognise the political independence and legitimacy of Taiwan, the People’s Republic of China (PRC) poses a political threat to the governing authorities of Taiwan. Any recognition of political independence or legitimacy of Taiwan by third parties is perceived as a political threat to the PRC, as it views Taiwan to be a rightful territory of China. This particular political threat is highly securitisable; there are societal, economic, and military implications to the securitisation of such a politically charged issue as Taiwan. It is proof positive, however, that perception and context play a significant role in any securitizing process, and that issues on the political agenda often have flow-on effects in additional sectors. 118 Jones & Little 1993, 35 in Buzan, Waever, and de Wilde, Security: A New Framework for Analysis, 145–46. 119 Buzan, Waever, and de Wilde, 145–46.


42

possible to ascertain whether or not it is in fact considered a new, sixth security sector, or if it is

simply considered seen by states to be a vehicle for traditional threats. The view of cyberspace by

a modern state will be covered further in the examination of threat perception by the UK in chapter

four, but I would argue that cyberspace is not necessarily a sixth domain or a vehicle for threats to

previous, traditional domains. Instead, I view cyberspace as the network or system of pathways

that connect all five of the previously-considered sectors. Cyberspace can of course be used as a

vehicle for attack and exploitation, and is often referred to as the cyber domain. For the purposes

of this thesis, however, I consider the cyber sector to be both a unique sector of interaction as well

a ‘connective tissue’ that connects the five sectors considered by Buzan, Waever and de Wilde.120

Cyberspace depends on physical infrastructure, and affects all sectors of society. If removed,

society would undergo considerable upheaval and change, but the other five sectors would still

exist. It is a system, or system of systems, as well as a disparate sector. It is a connective overlay

through which risks and threats can be both elevated and attenuated, extending and boosting the

risk and threat potential of previously specified analytical sectors. Because cyberspace has this

signal-boosting capacity that can radically alter threat and risk relationships and calculations,

traditional securitisation theories are not best equipped to actually integrate cyberspace into their

analytical frameworks. I offer an alternative in chapter three.

Criticisms of Securitisation Theory

Securitisation theory has been subject to (occasionally strident) criticisms since Buzan, Waever and

de Wilde first offered CST. Among its detractors, securitisation theory suffers a multitude of

weaknesses. In my examination of the existing body of literature, several of these weaknesses

seemed more prevalent; these observed weaknesses I examine and address in the following

sections. In an increasingly cyber-enabled international system, and in conditions where the

individual is an actor in the same space as the state (cyberspace), there are a number of elements

of CST that, in their current form, cannot explain the process of cyber ‘securitisation.’ Among

these criticised elements are the speech act; propaganda of the deed; the diffusion of legitimate

authority; the role of the international media and cyber-enabled communications; pre-existing

theoretical frameworks; post-Copenhagen theories; and framing.

120 The military; political; environmental; economic; and societal sectors.


43

Relevance of Speech Acts

The speech act as understood in CST is an illocutionary act; it is the performative act that initiates

the active process of securitising a threat.121 The illocutionary force of a speech act is

communicated by what an actor does, in saying something. Specifically, for the purpose of

traditional securitisation theory, in saying that a particular threat is existential in nature to an

identified referent object, that actor makes or actively constructs that issue as a threat. The speech act

is the discursive legitimation, the designation of existential threat. However, in the contemporary

digital era, the speech act as a vocalisation by a legitimate securitising actor may not hold the

primary importance it once did. I would argue that by examining and reverting to the base

definition of discourse, it is possible to interpret the necessity of a speech act beyond just the

vocalised statement. This reduces the applicability of criticisms calling into question the relevance

of CST in the digital era,122 allowing a wider interpretation of the securitising move as a whole. If,

for example, an official publication by a legitimate authority can be considered a discursive

legitimation of a securitising process, the reliance of CST on actual speeches is reduced. Discursive

legitimation, simply put, is the act of making something lawful through a particular mode of

discourse.123 While discourse in popular understanding might be construed as a vocal

communication between parties, in fact it is defined as

a) a formal discussion of a topic in speech or writing; and

b) a connected series of utterances; text or conversation.124

Extrapolating further, Peoples & Vaughan-Williams state that “discourse commonly refers to

words, but can also include other data such as visual images, material objects, and social

institutions.”125 By accepting the validity of the communication of ideas and modes of thought

121 Hisham Abdulla offers a succinct explanation of the three variations of speech act: locutionary, illocutionary, and perlocutionary. The terms were originally explored by John Austin, still considered the authoritative work on the linguistic distinctions. “The locutionary act is the act of saying something with a certain sense and reference; the illocutionary act is the act performed in saying something, i.e., the act named and identified by the explicit performative verb. The perlocutionary act is the act performed by, or as a consequence of, saying something.” Austin, in Hisham Abdulla, “Locutionary, Illocutionary and Perlocutionary Acts Between Modern Linguistics and Traditional Arabic Linguistics,” Al-Mustansiriya Literary 55 (2012): 62. Accepting Judith Butler’s definition, Matt McDonald defines illocutionary acts as those performing a function at the moment of speech, and perlocutionary acts as those necessary for enabling particular actions. McDonald, “Securitization and the Construction of Security,” 572. 122 Balzacq, Léonard, and Ruzicka, “‘Securitization’ Revisited,” 510–17; McDonald, “Securitization and the Construction of Security,” 564–75; Williams, “Words, Images, Enemies,” 524–28. 123 Jens Steffek, “Discursive Legitimation in Environmental Governance | Elsevier Enhanced Reader,” Forest Policy and Economic 11 (2009): 314–15, https://doi.org/10.1016/j.forpol.2009.04.003; Eero Vaara, “Struggles over Legitimacy in the Eurozone Crisis: Discursive Legitimation Strategies and Their Ideological Underpinnings,” Discourse & Society 25, no. 4 (July 1, 2014): 502–3, https://doi.org/10.1177/0957926514536962. 124 Oxford Dictionary, “Discourse| Definition of Discourse by Oxford Dictionary,” Lexico Dictionaries | English, 2021, https://www.lexico.com/definition/discourse. 125 Peoples and Vaughan-Williams, “Introduction,” 6.


44

through mediums beyond vocalisation by legitimate authority, to include (tele)visual images, the

concept of the ‘speech act’ can be applied in a more contemporary manner. As an example of the

securitising power of images, I would argue that the broadcasted image of the Twin Towers,

billowing smoke just before they collapsed on September 11, 2001 performed just as successful a

discursive legitimation of extraordinary measures as a speech made in the aftermath – see Figure

4 - Photo: Robert Clark, Associated Press, 2001. By this interpretation, an authorised press release

or published statement from an authoritative figure (or organ of a particular collective) may also

act as a discursive legitimation. Accordingly, documents such as national security strategies, direct

political communications et cetera may be substituted for the traditional speech act.

Figure 4 - Photo: Robert Clark, Associated Press, 2001

Propaganda of the Deed

An image such as the Twin Towers billowing smoke immediately before falling serves an additional

purpose beyond a securitising image. It is also indicative of the securitising nature of propaganda

of the deed; the act of terrorism securitising an issue before a legitimate authority can do so. An

act of terror brings the motivations associated with that act to the forefront of the public attention

by way of instantaneous broadcast media, in a day and age where those broadcasts will reach tens

of millions of people in dozens of countries within minutes or even seconds of that terrorist act

occurring. While we as a people may have become inured to violence on the media, terrorism still


45

has the ability to shock. This shock, in addition to the brutality of terrorist acts and the deliberate

targeting of civilians for which terrorism is known, contributes to a sort of mass securitisation.126

The latter, one could argue, is the swiftest form of threat elevation. Rather than a political or

military leader having to convince a relevant audience (the public, in the case of liberal

democracies) of the necessity of extraordinary measures, after a significant act of terror, it is the

public who will elevate the perceived danger of a threat such that for which extraordinary measures

may be called upon.

While this is not common (the events of September 1, 2001 being unique in many respects), I

would argue that according to the elevation variant of securitisation theory that I will offer in this

thesis, the securitisation remains valid despite the unusual process of elevation. In point of fact,

the use of terrorism as a political tool and the subsequent advantages provided by broadcast media

could be considered the instigating elements of a securitising process. There is nothing to suggest

that an actor may not undertake an action with the intent of utilising that action, or the

consequences thereof, to support a securitisation in the immediate aftermath of the act itself.

According to this interpretation, the attack on the Twin Towers by Osama bin Laden’s al-Qaeda

was the opening salvo in a securitisation of Western presence in the Middle East. The existence of

Western culture, persons and influence in territory traditionally under the influence of Islamic faith

came to be considered an existential threat.127 By way of broadcasts, meetings, and communications

passed verbally, through email and video, Osama bin Laden (the securitising actor) convinced the

relevant audience (those of sympathetic faith or feeling) that for the Muslim world to overthrow

the yoke of Western influence and succeed triumphant, the West must be attacked and brought

low.128 He successfully securitised the existence and the global reach of the US in particular, and

through extensive planning and training, utilised extraordinary measures to strike against the

perceived threat.129 In turn, the attack on the World Trade Centre in September of 2001 securitised,

almost instantaneously, both Osama bin Laden as an individual and al-Qaeda as an organisation

with hostile intentions against the Western world. Terrorism, as propaganda of the deed, was

employed as part of a securitisation. In addition to propaganda of the deed as a securitising event

or justification for a securitising move, black propaganda and disinformation campaigns are

contributing to the elevation of threat perception in various security sectors – this will be examined

closely in chapter six.

126 Bruce Hoffman, Inside Terrorism, 3rd ed., Columbia Studies in Terrorism and Irregular Warfare (New York: Columbia University Press, 2017), 2–5; 32–36. 127 Hoffman, 95. 128 Hoffman, 141–45. 129 Hoffman, 141–45.


46

Diffusion of Authority

In the past, it would have been reasonable to state that the only legitimate securitising actor would

have been a state or military leader, as the authoritative representative of their state. In modern

times, with the profusion of security threats to actors within the state as much as the state itself,

the number of actors who may legitimately speak security is growing. Beyond the ability of the

individual to speak security on their own behalf (somewhat subsumed by their social contract with

the state), those individuals can also speak security, when authorised, on behalf of various

collectives. While in itself this is not a particularly novel set of circumstances, it could be argued

that the security concerns of non-state actors are increasingly affecting the security concerns of

the state, in addition to receiving much attention for their own security status.

Non-governmental organisations (NGOs) such as Greenpeace and 350.org in the environmental

sector,130 Médecins Sans Frontières (MSF) and similar organisations in the global health sector are

speaking security on behalf of not just their (relatively) limited collective, but on an international

and even global scale.131 The various agencies within the United Nations (UN) framework also

speak security on an international to global scale,132 and because of their perceived authority and

social capital, these views are absorbed into multi and transnational corporations such as Apple

and Google. In turn, these can also speak security not simply on their own corporate concerns,

but increasingly on behalf of the general public, to include those who do not necessarily constitute

their customer base. One need only look at the conflict between the Apple Corporation and the

US Federal Bureau of Investigation (FBI) to see how these corporations are not only speaking

security, but how they are affecting security on a massive scale,133 with worldwide repercussions.

130 Greenpeace International, “Greenpeace International,” Greenpeace International, 2021, https://www.greenpeace.org/international; 350.org, “350.Org: A Global Campaign to Confront the Climate Crisis,” 350.org, 2021, https://350.org. 131 Médecins Sans Frontières, “Médecins Sans Frontières (MSF) International,” Médecins Sans Frontières (MSF) International, 2021, https://www.msf.org/. 132 UNAIDS, “UNAIDS | United Nations,” United Nations AIDS, 2021, https://www.unaids.org/en/Homepage; UNFPA, “UNFPA - United Nations Population Fund,” United Nations Population Fund, 2021, https://www.unfpa.org/; UNICEF, “UNICEF | United Nations,” United Nations Children’s Fund, 2021, https://www.unicef.org/; World Health Organization, “World Health Organization | United Nations,” United Nations World Health Organization, 2021, https://www.who.int. 133 Leander Kahney, “The FBI Wanted a Backdoor to the IPhone. Tim Cook Said No,” Wired, April 16, 2019, https://www.wired.com/story/the-time-tim-cook-stood-his-ground-against-fbi/; Arjun Kharpal, “Apple vs FBI: All You Need to Know,” CNBC, March 29, 2016, https://www.cnbc.com/2016/03/29/apple-vs-fbi-all-you-need-to-know.html; Jack Nicas and Katie Benner, “F.B.I. Asks Apple to Help Unlock Two IPhones,” The New York Times, January 7, 2020, sec. Technology, https://www.nytimes.com/2020/01/07/technology/apple-fbi-iphone-encryption.html.


47

With this diffusion of the capacity to speak security, the possibility arises of securitisation losing

intellectual coherence, as the number of actors within the framework grows. However,

securitisation is a process with a finite number of actors when examined in context and on a case-

by-case basis. As long as the parameters of the securitisation process are clearly designated and the

examined issue remains in focus, securitisation theory (particularly the elevation variant I offer in

this thesis) as an analytical framework remains applicable.

Role of the International Media and Cyber-enabled Communications

More so than in previous eras, the media is proving capable of not only supporting a securitising

move, but also enacting the securitising process and legitimating speech acts. Instantaneous

broadcast of newsreaders and contemporaneous events has resulted in a greater public awareness of

national, regional, and international security concerns that previously may not have impacted the

public psyche.134 By broadcasting these images to a global audience, often live and therefore in

advance of any official communiqué, the international media are engaging in securitisation whether

knowingly or not. If, as I have argued here, widely broadcasted images can be accepted as

discursive legitimation, then by that action news outlets have become securitising actors in and of

themselves. In a live-streaming culture like the one we now experience, whoever ‘breaks’ the news

has the opportunity to put the first ‘spin’ on whatever information (images or otherwise) they are

broadcasting.135 Thus, it is the media and not just political and social elites that are capable of either

maintaining the position of an issue within the bounds of normal politics, or elevating that issue

to a security threat by communicating that interpretation to a global audience. I refer again to the

historic image of the Twin Towers, an image that is in fact a still of what was a live, instantaneous

global broadcast that immediately changed the nature of national and international security, and

associated threats, from what had previously been understood and that had underpinned global

strategic defence frameworks.

134 Megan Le Masurier, “Slow Journalism in an Age of Forgetting,” Opinion, ABC Religion & Ethics (Australian Broadcasting Corporation, June 18, 2019), https://www.abc.net.au/religion/slow-journalism-in-an-age-of-forgetting/11221092. 135 Bob Burton, Inside Spin : The Dark Underbelly of the PR Industry (Crows Nest: Allen & Unwin, 2007), https://research.usc.edu.au/discovery/fulldisplay/alma999899902621/61USC_INST:ResearchRepository; Claes H. de Vreese and Matthijs Elenbaas, “Spin and Political Publicity: Effects on News Coverage and Public Opinion,” in Political Communication in Postmodern Democracy: Challenging the Primacy of Politics, ed. Kees Brants and Katrin Voltmer (London: Palgrave Macmillan UK, 2011), 75–91, https://doi.org/10.1057/9780230294783_5; Michelle Grattan, “The Politics of Spin,” Australian Studies in Journalism, 1998, 32–45; Aldo Antonio Schmitz and Francisco Jose Castilhos Karam, “The Spin Doctors of News Sources,” Brazilian Journalism Research 9, no. 1 (2013): 96–113.


48

This role of the securitising actor (one among many, it must be noted) is representative of the

transformation of news media from the objective watchdogs they have historically been considered

to be.136 While a certain perspective or bias is inherent in all written works, traditionally, the

journalist endeavoured to communicate objective facts, so that the reader, listener or viewer may

form their own opinion on a foundation of well-researched objectivity.137 Increasingly, particularly

with the corporatisation and conglomeration of media outlets, certain publications and broadcasts

have a somewhat deserved reputation for framing their communications in a particular way (often

politically-motivated), used to sway or otherwise influence opinions rather than provide objective

facts.

With this transformation of an unbiased news agent into political agent of change,138 the roles of

securitising actor and conveyor of securitising acts have converged, drastically reducing both the

timeframe in which a securitisation process may occur and the comparative size of the audience

that performative act of discursive legitimation may reach. With live and near-instantaneous

broadcast on a global scale, discursive legitimation can be performed on that same scale, instigating

an international securitising process that by nature is much larger than any historic securitisations.

The rise of social media, enabled by cyberspace, has only served to hasten this process.

This not only regionalises and globalises security issues more rapidly than may have previously

been possible, but it will also become apparent almost immediately if there is a strong support for,

or opposition to, the securitisation by way of various media and social media outputs. The ever-

increasing reach and influence of the global media is an element that needs to be included in any

analysis of contemporary securitisation processes. One need only point to the 2016, 2018, and

2020 US elections to observe the effects of the media, to include social media platforms, on both

136 Sandrine Boudana, “A Definition of Journalistic Objectivity as a Performance,” Media, Culture & Society 33, no. 3 (April 1, 2011): 385–98, https://doi.org/10.1177/0163443710394899; Peter Galison, “The Journalist, the Scientist, and Objectivity,” in Objectivity in Science, ed. Flavia Padovani, Alan Richardson, and Jonathan Y. Tsou, vol. 310, Boston Studies in the Philosophy and History of Science (Cham: Springer International Publishing, 2015), https://doi.org/10.1007/978-3-319-14349-1; Einar Thorsen, “Journalistic Objectivity Redefined? Wikinews and the Neutral Point of View,” New Media & Society 10, no. 6 (December 1, 2008): 935–54, https://doi.org/10.1177/1461444808096252. 137 Boudana, “A Definition of Journalistic Objectivity as a Performance”; Galison, “The Journalist, the Scientist, and Objectivity”; Thorsen, “Journalistic Objectivity Redefined?” 138 I note that the role of the media is intended to be objective and unbiased, insofar as that is possible. It is important to clarify that many modern news sources are not objective or unbiased, and too few of those services clarify their biases. For the purposes of this thesis, I accept the theoretical definition of news media as unbiased. See Boudana, “A Definition of Journalistic Objectivity as a Performance”; Thorsen, “Journalistic Objectivity Redefined?”


49

political and social life.139 Studies indicate that social media in particular affected both the

information people had access to and the political parties and candidates they were likely to

support. In fact, it had the effect of supporting preconceived opinions and further separating the

political stances between the left and the right - social media platforms in conjunction with

traditional news sources radicalised political views and resulted in chaotic, scandal-riven elections

still being debated years later. In fact, the global media has done much to securitise the presidency

of Mr. Donald Trump, 45th President of the US. As a case study, the 2016 election showcased a

number of theoretical elements of interest, such as the enmity/exclusion dynamic, the politics of

emergency, and the link between existential threats and the sovereign/decision-making apparatus.

These elements, found in CST, can also be observed in the Schmittian realism framework, leading

to the criticism that CST does not truly offer any unique analytical tools to the body of political

theory at large.140 The sixth chapter of this thesis examines the relationship between CCI and

disinformation. One of the primary vectors of disinformation in contemporary times are the major

social media platforms, on which ‘fake news’ travels up to six times faster than accurate

information, or ‘true news.’141 Disinformation can deepen enmity/exclusion dynamics, induce

political emergency and reduce the integrity of democratic structures.

Pre-existing Analytical Frameworks

Like many political theories, the points of analysis and certain elements of the CST framework are

similar to those employed by other frameworks. For several pertinent elements, however, there is

an undeniably strong correlation between the framework of traditional securitisation, and so-called

Schmittian realism. This has contributed to the argument that in fact, CST does not contribute to

existing theoretical knowledge in any real terms. Michael Williams notes the links between

139 Sinan Aral and Dean Eckles, “Protecting Elections from Social Media Manipulation,” Science 365, no. 6456 (August 30, 2019): 858–61, https://doi.org/10.1126/science.aaw8243; Alessandro Bessi and Emilio Ferrara, “Social Bots Distort the 2016 U.S. Presidential Election Online Discussion,” First Monday 21, no. 11 (November 3, 2016), https://doi.org/10.5210/fm.v21i11.7090; Emilio Ferrara et al., “Characterizing Social Media Manipulation in the 2020 U.S. Presidential Election,” First Monday, October 19, 2020, https://doi.org/10.5210/fm.v25i11.11431; R. Kelly Garrett, “Social Media’s Contribution to Political Misperceptions in U.S. Presidential Elections,” PLOS ONE 14, no. 3 (March 27, 2019): e0213500, https://doi.org/10.1371/journal.pone.0213500; Sangwon Lee and Michael Xenos, “Social Distraction? Social Media Use and Political Knowledge in Two U.S. Presidential Elections,” Computers in Human Behavior 90 (January 1, 2019): 18–25, https://doi.org/10.1016/j.chb.2018.08.006. 140 Felix Ciutǎ, “Security and the Problem of Context: A Hermeneutical Critique of Securitisation Theory,” Review of International Studies 35, no. 2 (2009): 301–26; Floyd, “Can Securitization Theory Be Used in Normative Analysis? Towards a Just Securitization Theory”; Kalyvas, Democracy and the Politics of the Extraordinary; Rita Taureck, “Securitization Theory and Securitization Studies,” Journal of International Relations and Development 9, no. 1 (March 2006): 53–61, http://dx.doi.org.virtual.anu.edu.au/10.1057/palgrave.jird.1800072. 141 Peter Dizikes, “Study: On Twitter, False News Travels Faster than True Stories,” MIT News | Massachusetts Institute of Technology, March 8, 2018, https://news.mit.edu/2018/study-twitter-false-news-travels-faster-true-stories-0308; Larry Greenemeier, “False News Travels 6 Times Faster on Twitter than Truthful News,” PBS NewsHour, March 9, 2018, https://www.pbs.org/newshour/science/false-news-travels-6-times-faster-on-twitter-than-truthful-news.


50

securitisation theory and the idea of politics of the extraordinary as conceived by German political

philosopher Carl Schmitt.142 Schmittian realism has several notable elements: the friend/enemy

dichotomy or enmity/exclusion division, the exceptionalism of the decision-maker, and the

aforementioned politics of the extraordinary. The correlation between these elements and the

securitisation concepts of threat perception, the (legitimacy of the) securitising actor, and the

existence of extreme necessity is clear. While not the first to observe the distinct similarities

between securitisation and Schmittian realism, Williams offers a succinct and logical examination

of the relationship.

Noting that, despite broad conception of securitisation and the politics of the extraordinary as

negative phenomena, Williams states that both are in fact capable of positive impact. He goes on

to identify the politics of the extraordinary as “the declaration of existential threat and, if

successful, the generation of the capacity to break free of the rules of ‘normal’ politics.”143 The

positive possibilities of the politics of the extraordinary are when the focus of the securitisation

places “the question of constituent power at the centre of concern.”144 Accordingly, once you

move beyond the traditional (and Schmittian) friend/enemy dichotomy, or enmity and exclusion

calculation, the possibility exists for securitisation to become a valuable tool for positive social

change, particularly if constituent power in the form of the relevant audience can be harnessed in

order to de-securitise security issues. ‘Extraordinary’, in a political sense, does not necessarily need

to be negative. Using a global health example, both HIV/AIDS and Ebola were securitised in the

positive sense. Having identified an existential threat to the audience, governments securitised

these diseases and pursued mitigation in the form of therapies, treatments, and vaccines.145

The mobilisation of the polity is another notable similarity between securitisation and Schmittian

realism, alone with the comparative mutability of the concept of security according to the

(subjective) views of the decision-maker (for Schmitt) or the actor that can ‘speak security’ (for

securitisation scholars). “As revolutionary movements demonstrate perhaps most clearly, the

142 Williams, “Securitization as Political Theory: The Politics of the Extraordinary.” 143 Williams, 115. 144 Williams, 115. 145 HIV/AIDS refers to Human Immunodeficiency Virus/Acquired Immunodeficiency Virus. Colin McInnes and Simon Rushton, “HIV/AIDS and Securitization Theory,” European Journal of International Relations 19, no. 1 (March 1, 2013): 115–38, https://doi.org/10.1177/1354066111425258; Michael J. Selgelid and Christian Enemark, “Infectious Diseases, Security and Ethics: The Case of Hiv/Aids,” Bioethics 22, no. 9 (2008): 457–65, https://doi.org/10.1111/j.1467-8519.2008.00696.x; Roxanna Sjöstedt, “Exploring the Construction of Threats: The Securitization of HIV/AIDS in Russia,” Security Dialogue 39, no. 1 (March 1, 2008): 7–29, https://doi.org/10.1177/0967010607086821; Marco Antonio Vieira, “The Securitization of the HIV/AIDS Epidemic as a Norm: A Contribution to Constructivist Scholarship on the Emergence and Diffusion of International Norms,” Brazilian Political Science Review (Online) 2, no. SE (December 2007): 0–0.


51

politics of the extraordinary can emerge from unexpected sources and through surprising

processes that overturn, disrupt or challenge prevailing structures or practices.”146 This sounds

remarkably similar to the extraordinary measures granted by a successful securitisation process.

Williams quotes Ole Waever’s assertion that for him, security is to be understood as exceptionality

and emergency as defined by Schmitt, but tempered by an “Arendtian understanding of politics”,147

or, an understanding that extraordinary politics could have a positive impact.

If the logic of security is defined by a friend/enemy construction, then it is not unreasonable to

assume that securitisation will be negative: after all, the primary use of the securitisation framework

is the analysis of how a political concern is elevated to the level of a security threat, by nature a

negative condition. Additionally, the terms ‘politics of the extraordinary’ and ‘emergency’ carry a

negative cultural connotation that lends credence to the idea that securitisation is an inherent

negative process. However, if you move beyond the considerations of enmity and exclusion that

characterise Schmitt’s theoretical concept, and beyond the exceptionality of the decision-maker,

then the securitisation process does not necessarily have to be negative. Regardless of one’s

perception of the positive or the negative impact of securitisation, there is an unmistakable

similarity between securitisation theory and Schmittian realism. If that is the case, then

securitisation theory may not necessarily be solidly placed within the constructivist field of

philosophy. It is on this possibility that I first considered the structure of elevation theory (see

below), sharing in both realist and constructivist elements, and hopefully serving as a bridge

between fields.

State-centrism in Securitisation Research

One of the original purposes of securitisation theory was to reduce the traditional academic and

philosophical focus on the state within strategic studies as a discipline.148 However, throughout

Security: A Framework for Analysis, and indeed the body of securitisation literature, that focus on the

state has remained.149 Often in examinations and discussions of securitisation theory, the state is

the referent object in question. While this does not negate the value of that research, it does call

into question whether or not securitisation theory should truly be considered as separate from

traditional strategic studies, or indeed the overall realist school of thought. In addition, while

Buzan, Waever and de Wilde purposefully examined sectors beyond the military, much of the

146 Williams, “Securitization as Political Theory: The Politics of the Extraordinary,” 116. 147 Williams, 118. 148 Buzan, Waever, and de Wilde, Security: A New Framework for Analysis, 36–40. 149 Knudsen, “Post-Copenhagen Security Studies: Desecuritizing Securitization.”


52

existing work on securitisation theory by other academics not only holds the state as the reference

object but considers, specifically, various elements of security in the military sector and in the

military sense. This thesis also focuses primarily on an examination of the way in which a state

actor has observable elevated a particular threat. In this instance, the choice to examine state actor

elevation was made in order to ascertain how at the highest levels, these concepts and problems

are being understood. The ways that states legislate and draft policies are affected by threat

perception. In turn, these laws and policies will affect the ways in which substate actors like

corporate groups and individuals are able to engage and act themselves. Beyond the case specific

to this thesis, however, threat elevation analysis has been designed for and can be applied to

substate actors and security concepts and problems as well, though this is outside the scope of the

current research project and so must be undertaken in future.

Post-Copenhagen Securitisation Theories

Copenhagen securitisation theory, so named for the geographic location of the scholars by whom

the theory was conceived, is not the only variation of securitisation theory. Many scholars have

their own securitisation variants, including the one I offer in this thesis. However, there are two

main alternatives to the (traditional) CST; the Welsh School, and the Paris School. As would be

expected, each of these Schools of thought focuses on a different element of securitisation. The

Welsh School, or Aberystwyth School, “linked the study of security to the …. goal of human

emancipation”.150 This draws even further away from the traditional (realist) view of security being

focused on the state and the military concerns thereof than does Copenhagen securitisation theory.

Firmly within the social constructivist field of political theory, scholars such as Ken Booth and

Richard Wyn Jones are broadly considered to be representative of this particular School of

securitisation theory.151 The Paris School, on the other hand, focuses more on developing a

sociological approach to (the analysis of) “the conduct of everyday security practices ranging from

policing to border patrol”.152 While this is closer to the traditional state-based view of security, it

is distanced from realist conceptions of such by its focus on the micro-practices, or sub-state levels

of security. That is to say, on the various constituent practices that actually provide and maintain

the security of the state in real terms. In considering the strategic understanding and development

of the threat perception of cyberspace and parallel evolution of CCI, the more relevant framework

150 Peoples and Vaughan-Williams, “Introduction,” 9. 151 Peoples and Vaughan-Williams, 9; Floyd, “Towards a Consequentialist Evaluation of Security,” 328. See also Ken Booth, “Security and Emancipation,” Review of International Studies 17, no. 4 (1991): 313–26; Richard Wyn Jones, Security, Strategy, and Critical Theory (Boulder: Lynne Rienner Publishers, 1999). 152 Peoples and Vaughan-Williams, “Introduction,” 9.


53

is the state-level securitisation theory. While you could certainly examine cyber security issues from

the Welsh and Paris perspectives, these Schools of securitisation theory have been developed to

analyse very particular issues, and they do this very well. Because of that niche development,

however, they have less utility across the wider realm of strategic problems. They are better suited

to specific, bounded analyses than the more state-level, systemic analytical tool of Copenhagen

securitisation.

While there are a great many scholars of securitisation theory, as Peoples and Vaughan-Williams

argued in Mapping Critical Security Studies, it is important not to become too attached to the concept

of identifying scholars and theories by this tripartite, geographically-oriented view of

securitisation.153 Each of these three main forms of securitisation have overlapping elements and

fields of analysis, which link them together just as much as their varying analytical foci separate

them from each other. Balzacq also notes that all three Schools are peculiarly Eurocentric, and this

is an important analytical bias to recognise when utilising (or critiquing) securitisation theory.154

While enumerating and detailing the differences and similarities of the various forms of

securitisation theory is not within the scope of this thesis, it is important to recognise that

securitisation is a widely-researched academic field. In addition, by providing a brief overview of

the main alternatives to CST, I am better able to place the elevation variant of securitisation within

the theoretical field at large (see below). As previously stated, according to Balzacq, there are

common elements across each variant of securitisation theory so far offered, and this is also true

of the elevation variant used in this thesis. Just as the Copenhagen, Welsh, and Paris Schools of

securitisation focus on certain areas of securitisation which have come to epitomise each of them,

so have I utilised themes common to each form of securitisation theory while employing an

alternate analytical view that has resulted in a unique theoretical framework within the overall field

of securitisation theory. It is my belief that this newer form of securitisation will also be better

suited to modern concerns over, and utilisation of, advanced communications technologies.

Framing

Scott Watson sees securitisation theory as a subfield of framing, or the way in which information

is communicated in order for it to be perceived in a certain way.155 Watson identifies securitisation

theory so conceived as a uniquely European mode of thought, noting that in American scholarship,

framing, (rather than securitisation) is the preferred method of analysis and addresses much of the

153 Peoples and Vaughan-Williams, 9–10. 154 Peoples and Vaughan-Williams, 9–10. 155 Watson, “‘Framing’ the Copenhagen School.”


54

same material. Watson’s argument is that security is a ‘master frame’ in security studies, and that

securitisation theory should be considered a subfield of framing.156 Among the similarities between

the framing and securitisation frameworks is the assertion “that linguistic-grammatical

composition is essential to understanding political outcomes.”157 Construction of threat through

discursive legitimation aside, both frameworks also identify the importance of power structures

and relationships, and distinguish “audience, commentator and culture” as crucial elements in the

construction of threats.158 However, Watson admits that there is a drawback to conflating the two

approaches; framing focuses primarily on the public as the relevant audience in question and the

effect of framing in the media. Thus, any insights may not be applicable to securitisations in which

the relevant audience is not the general public. As the concept of framing does lend itself to my

argument that the media can be securitising actors (by framing information and thus guiding

perception), I would argue that framing is an element of the securitisation process, rather than that

securitisation is a subfield of framing.

Moving Beyond CST

Having examined much of the existing literature on CST, I would suggest that rather than view

CST as a form of analysing threat construction or conflating it with framing, it may be more useful

to reformulate securitisation and then relocate it closer to, if not within, the realist school as a

theory of threat elevation.159 I would further argue that, taking into account the various elements

of securitisation theory as laid out here, securitisation would be better utilised to explain how a

threat is elevated from a normal political issue to a security threat, rather than constructed into one.

It is not the manner in which an issue is discussed that makes that issue a threat, so assertions that

threats are socially constructed are arguable. Rather, the perception of an issue as threatening to a

particular object relies on reaching an understanding of the particular damage that threat could

accomplish. There must be either previous incidences wherein damage has been caused by that

threat and it must be treated accordingly, or there should be a reasonable belief with evidentiary

support that a particular identified ‘threat’ may or will cause damage in the future. This is an

156 Watson, 280. 157 Watson, 283. 158 Watson, 284. 159 Realism, according to Jack Donnelly, is “a tradition of analysis that stresses the imperatives states face to pursue a power politics of the nation interest….” and notes that realism is the oldest theory of international relations. Jack Donnelly, “Realism,” in Theories of International Relations, by Scott Burchill et al., 3rd ed. (Palgrave Macmillan, 2005), 29, http://dro.deakin.edu.au/view/DU:30010384. Realism focuses on the problems faced by, and methods of persuasion and mitigation available to, the sovereign state. As such, realism is mainly concerned with the military sector, and how that sector affects and is affected by other sectors.


55

acknowledgement of an existing reality rather than the construction of a novel threat. As such, the

result of a securitising process is the elevation of both the issue to the status of threat, and the

measures in the correlating security policy, rather than the construction of the threat itself.

To use the Cold War as an example, the creation and deployment of nuclear weaponry was the

result of a security policy that evolved out of the recognition of hostile rivals and the threat they

represented.160 Once further parties obtained nuclear weapons and the concept of mutually assured

destruction (MAD) came into play, it could be argued that the normalisation of MAD and the

signing of nuclear accords and de-proliferation/non-proliferation treaties then desecuritised the

nuclear issue (at least to some extent).

It was after the advent of the Internet and the diffusion of access to cyberspace that the

vulnerabilities of the new domain began to become a security concern. It is then that we started to

see the securitisation of cyberspace; crucially, after it has been proven to be a threat vector.161

According to this more realist conception of securitisation, then, the speech act elevates an existing

perception of threat out of the bounds of normal politics. A successful securitising move would

be one that results in the creation or transformation of a security policy or strategy beyond the

bounds of those that already exist. In this context, the creation of national security policies and

strategies specific to cyberspace are measures resulting from the recognition of the threat elevation

of cyberspace.

I acknowledge that threat perception is socially constructed insofar as it is the securitising actor,

as a person or collective of people, that perceives something to be threatening to a given referent

object, and all perception is subjective and based on lived experiences.162 States are likely to identify

rising threats based on pre-existing conditions, so the particular context in which a threat is

identified and elevated is key.163 In particular, the historical relationships between the conflicting

160 See Elbridge Colby, “The Role of Nuclear Weapons in the U.S.-Russian Relationship,” Carnegie Endowment for International Peace, 2016, https://carnegieendowment.org/2016/02/26/role-of-nuclear-weapons-in-u.s.-russian-relationship-pub-62901; Carl Kaysen, Robert S. McNamara, and George W. Rathjens, “Nuclear Weapons After the Cold War,” June 21, 2018, https://www.foreignaffairs.com/articles/1991-09-01/nuclear-weapons-after-cold-war; David S. Meyer, “Framing National Security: Elite Public Discourse on Nuclear Weapons during the Cold War,” Political Communication 12, no. 2 (April 1, 1995): 173–92, https://doi.org/10.1080/10584609.1995.9963064; John Swift, “The Soviet-American Arms Race | History Today,” History Today, 2009, https://www.historytoday.com/archive/soviet-american-arms-race; Godfried van Benthem van den Bergh, “The Taming of the Great Nuclear Powers,” Policy Outlook (Carnegie Endowment for International Peace, 2009). 161 Refer to chapter four for an exploration of the development and riskification of cyberspace. 162 See Kenneth Boulding, The Image: Knowledge in Life and Society (Ann Arbor: University of Michigan Press, 1956), https://www.press.umich.edu/6607/image. 163 See Waltz, Man the State and War: A Theoretical Analysis.


56

or hostile parties will affect the outcome of a securitisation. This concept of the threat matrix is

not unique to the state, either. A current and evolving awareness of existential threats can be drawn

down through all levels, including the collectives and the individuals identified as actors within this

thesis. Thus, a riskifying or securitising move only elevates that which is already viewed as a

concern from the bounds of normal politics to a security risk or a security threat, requiring either

management or extraordinary measures for resolution and giving the securitising actor the impetus

to create or transform a security policy in a way that may not otherwise be acceptable to the

relevant audience.

Successful securitisation so understood can be seen in the passing of the Patriot Act;164 the creation

and operation of mass surveillance programs such as the National Security Agency’s (NSA)

PRISM.165 The ongoing wars in the Middle East were once successfully securitised but can now be

argued to have lost the necessary ongoing consent of the relevant audience.166 The growing number

of agencies and government or military branches with dedicated cyber security forces speaks to

the successful elevation of cyberspace attack and exploitation to a serious threat to security;

whether it is an existential one depends on the body of literature and to which author or actor you

are referring. Additionally, treating securitisation as a method of elevation reduces reliance on the

key concept of audience acceptance which is difficult to gauge. Relevant audience acceptance in

securitisation-as-elevation theory could be understood as either having been neutralised or at least

as have become non-oppositional. Given the ‘social’ construction of perceived threat, the existence

of that threat must be accepted so the primary relevant audience for a successful policy creation

or transformation would in the first instance be politicians or security practitioners rather than the

general public.

Having examined traditional securitisation theory and identified the potential for development of

that framework, the next section provides an overview of the existing literature surrounding the

field of counterintelligence. Counterintelligence has a long history and is an accepted practice of

164 United States Department of Justice, “The USA PATRIOT Act: Preserving Life and Liberty,” United States Department of Justice, 2001, https://www.justice.gov/archive/ll/highlights.htm. 165 Gordon Carera, Intercept: The Secret History of Computers and Spies (London: Weidenfeld & Nicolson, 2015), 352–56; 371–76. 166 Andrew Bacevich, “Endless War in the Middle East,” Cato Institute, June 13, 2016, https://www.cato.org/catos-letter/endless-war-middle-east; Anthony H. Cordesman, “America’s Failed Strategy in the Middle East: Losing Iraq and the Gulf,” 2020, https://www.csis.org/analysis/americas-failed-strategy-middle-east-losing-iraq-and-gulf; Simon Jenkins, “The US and Britain Face No Existential Threat. So Why Do Their Wars Go On?,” the Guardian, November 15, 2019, http://www.theguardian.com/commentisfree/2019/nov/15/britain-and-us-wars-conflicts-middle-east; Bruce Riedel, “30 Years after Our ‘Endless Wars’ in the Middle East Began, Still No End in Sight,” Brookings (blog), July 27, 2020, https://www.brookings.edu/blog/order-from-chaos/2020/07/27/30-years-after-our-endless-wars-in-the-middle-east-began-still-no-end-in-sight/.


57

national security and statecraft. However, I contend that modern approaches to

counterintelligence have not evolved apace with developments in cyberspace and related high

technologies. Additionally, counterintelligence in cyberspace needs to be, at least in part, devolved

to the level of the individual to contribute to a greater degree of relative security for the state, as

individuals can be intelligence collection targets for foreign actors. Chapter four of this thesis

evaluates the British approach to CCI through process-tracing and discourse analysis; chapter six

examines disinformation through the lens of CCI and foreign interference. The next section of

this chapter is not an exhaustive examination as the literature on traditional intelligence and

counterintelligence studies is extensive, but will give a broad, fundamental understanding of the

field out of which the later development of CCI is born.

Counterintelligence

Counterintelligence is an essential part of security, both as a mirror and as part of intelligence as a

practice. Both intelligence and counterintelligence have been evident as an essential part of

statecraft for thousands of years.167 The earliest example of counterintelligence that comes to mind

when considering the history of the discipline is the creation and use of ciphers to pass messages

in ancient times; perhaps the best-known example is the Caesar cipher. This cipher, named for

Julius Caesar who is said to have created it, consists of a simple three letter shift used to encrypt

messages between the Roman Emperor and his commanders and allies.168 In terms of state

security, secrets can mean the difference between victory and loss, life and death, peace and war.

The practice of counterintelligence is active and, at times, proactive, while consistently crucial to

the continued security of the sovereign state. Counterintelligence as an academic field is more

recent, but references can be found to counterintelligence practices spanning back millennia, even

though it may not specifically be termed as such.169 There are many definitions of

counterintelligence,170 and many opinions on where it falls on the spectrum of importance to

167 See Sara Perley, “Arcana Imperii: Roman Political Intelligence, Counterintelligence, and Covert Action in the Mid-Republic” (Canberra, The Australian National University, 2016); Rose Mary Sheldon, “Caesar, Intelligence, and Ancient Britain,” International Journal of Intelligence and CounterIntelligence 15, no. 1 (January 2002): 77–100, https://doi.org/10.1080/088506002753412892; Rose Mary Sheldon, “A Guide to Intelligence from Antiquity to Rome,” The Intelligencer 18, no. 3 (2011): 49–51. 168 Christopher Andrews, The Secret World: A History of Intelligence (New York: Penguin Books, 2019), 46, https://www.penguin.com.au/books/the-secret-world-9780140285321. 169 Andrews, The Secret World: A History of Intelligence; Perley, “Arcana Imperii: Roman Political Intelligence, Counterintelligence, and Covert Action in the Mid-Republic.” 170 Stan A. Taylor, “Definitions and Theories of Counterintelligence,” in Essentials of Strategic Intelligence, ed. Loch K. Johnson, Praeger Security International Textbook (Santa Barbara: Praeger, 2015), 285–302; Loch K Johnson and James J Wirtz, Intelligence: The Secret World of Spies : An Anthology (New York: Oxford University Press, 2011), 70–71; Mark Lowenthal, Intelligence: From Secrets to Policy, 8th ed. (Thousand Oaks: SAGE Pulications, Inc, 2020), 201.


58

security, but I would argue that the essential purpose of counterintelligence is to actively deny your

opponent access to information that you are trying to keep secret.

Traditional Counterintelligence

In this section on traditional counterintelligence, I will briefly discuss three aspects of this field.

The first is the discipline of counterintelligence: in other words, how counterintelligence has been,

and is being, undertaken by intelligence practitioners. The second aspect I will consider is the

development of counterintelligence; in terms of development, I have found that

counterintelligence is in large part both reactionary to, and reliant on, the improvement or

innovation of new technologies. It is imperative that counterintelligence practitioners be familiar

with the technologies that could be used by hostile intelligence collectors, and I believe that the

development of this field is largely correlative to the development of technologies of various types.

The last aspect I will consider, and perhaps the most important in terms of security, is the purpose

of counterintelligence. This encompasses what the express purpose is; some of the stated

counterintelligence goals of various intelligence agencies and the governments to which they

belong; and why counterintelligence is such an important discipline in the first place.

As a precursor to the discussion of counterintelligence, I need to draw attention to its vague and

complicated nature. According to Mark Lowenthal, counterintelligence is one of the most difficult

of the intelligence disciplines to discuss because it cannot be neatly pigeonholed into any one area:

it isn’t collection, but involves collection. It isn’t analysis, but involves analysis, and can create

analytical opportunities. It isn’t human intelligence, but it can involve human intelligence. It is not

solely a law enforcement issue, but it is crucial to the law enforcement process.171

Counterintelligence, as a practice and as a consideration, should pervade all aspects of (intelligence

and) security, and not be considered a separate or outlying step in the overall intelligence process:

to do so is to risk failure. Lowenthal identifies three branches of counterintelligence, none of which

are mutually exclusive: collection, defensive, and offensive.172 With that in mind, we can look to

counterintelligence’s history and development, and its purpose.

171 Lowenthal, Intelligence: From Secrets to Policy, 201–28. 172 Lowenthal, 201–28. These will also be considered further in relation to counterintelligence in cyberspace in chapter three.


59

History and Development

As stated above, counterintelligence is the practice of denying an adversary access to information

that they want, which you are trying to keep secret. This is a very basic definition, but it will form

the foundation of this section. One of the most famous of (known) counterintelligence agents,

James Angleton of the US’ Central Intelligence Agency (CIA), once described counterintelligence

as operating in a ‘wilderness of mirrors’,173 where the wilderness was the “myriad of stratagems,

deceptions, artifices, and all the other devices of disinformation which…intelligence services use

to confuse and split the West…producing an ever-fluid landscape where fact and illusions

merge.”174 This description remains one of the best I have ever found of the ground covered by

traditional counterintelligence, despite its less-than-academic formulation. It is the job of the

counterintelligence agent to be the professional paranoid in a community that makes a career and

a practice of paranoia.

Counterintelligence is conducted in many different forms, including communications encryption

like the Caesar cipher, though in modern times cryptography has significantly improved.175

Counterintelligence is also a matter of human intelligence (HUMINT); of discovering intelligence

agents reporting to foreign intelligence services and either flipping them,176 or providing them with

misleading information (disinformation) in order to confuse the actor to whom they report.177

Disinformation and misdirection are key practices of the counterintelligence discipline, and much

of what is publicly known about previous counterintelligence operations can be reduced to one of

these two practices, if not both.

173 Referring to the ‘looking-glass nature’ of counterintelligence and, particularly during the Cold War when Angleton ran the CIA’s counterintelligence branch, the difficult and often disliked practice of tracking and identifying moles within one’s own intelligence service; of constant suspicion of the loyalties of fellow agents. John Kimsey, “‘The Ends of a State’: James Angleton, Counterintelligence and the New Criticism,” The Space Between: Literature and Culture 1914-1945 13 (2017), https://scalar.usc.edu/works/the-space-between-literature-and-culture-1914-1945/vol13_2017_kimsey; see also David Robarge, “‘Cunning Passages, Contrived Corridors’: Wandering in the Angletonian Wilderness,” Studies in Intelligence 53, no. 4 (2009): 49–61. 174 Angleton here referred entirely to Soviet bloc intelligence services, but the definition can apply to all foreign intelligence services. David Robarge, “Moles, Defectors, and Deceptions: James Angleton and CIA Counterintelligence,” Journal of Intelligence History 3, no. 2 (December 2003): 31, https://doi.org/10.1080/16161262.2003.10555085. 175 For a history of intelligence and counterintelligence (including cryptography and cryptanalysis), see Andrews, The Secret World: A History of Intelligence. 176 A term for convincing (in one way or another) a foreign intelligence agent to turn against their employer and spy for you instead. 177 Miron Varouhakis, “An Institution-Level Theoretical Approach for Counterintelligence,” International Journal of Intelligence and CounterIntelligence 24, no. 3 (September 2011): 494–509, https://doi.org/10.1080/08850607.2011.568293; Frederick L. Wettering, “Counterintelligence: The Broken Triad,” International Journal of Intelligence and CounterIntelligence 13, no. 3 (October 2000): 265–300, https://doi.org/10.1080/08850600050140607.


60

Counterintelligence is an extremely difficult field in which to work. In addition to investigating,

misdirecting, misleading and protecting against (known) agents of adversarial intelligence services,

it is also the responsibility of counterintelligence agencies and agents to monitor and investigate

those within the domestic intelligence services and citizenry who may be operating for a foreign

actor from within their home state.178 This practice became particularly important during the Cold

War and immediately following, when spies like Robert Hanssen and Aldrich Ames in the US, and

Klaus Fuchs in Britain were discovered to have been spying for the Soviet Union across decades

and from within important security-related programmes (Ames and Hanssen were CIA and FBI

agents, respectively, while Fuchs worked on the Manhattan Project).179

Of the examples available in the public domain, Christopher Andrews’ 2018 history of intelligence

and counterintelligence provides an authoritative examination, covering several thousand years of

known cases.180 World War II in particular provides several cases of exemplary counterintelligence

operations that changed the course of the war effort in favour of the Allies. Operation Mincemeat

in Britain;181 the breaking of the Enigma machine codes by the Bletchley Park codebreakers;182 and

the Bodyguard operations designed to divert Hitler’s forces during the D-Day landings are

incredible examples of the importance, utility, and effect of counterintelligence operations.183 Each

of these operations required extensive planning, considerable risk and extremely tight operational

security in order to achieve the desired outcomes and influence the overall war effort in favour of

the Allies.

Counterintelligence is, by nature, a largely reactionary discipline; the practice of counterintelligence

consists of subverting the actions of others and preventing the loss of state secrets and exploitation

of that information, as well as protecting that information to begin with. Much like cyber security,

in the intelligence world, to be on the defensive is both more dangerous and more difficult than

being on the offensive, because you cannot defend against that which you do not know and have

178 Varouhakis, “An Institution-Level Theoretical Approach for Counterintelligence.” 179 Federal Bureau of Investigation, “Robert Hanssen,” Page, Federal Bureau of Investigation, 2001, https://www.fbi.gov/history/famous-cases/robert-hanssen; Federal Bureau of Investigation, “Aldrich Ames,” Page, Federal Bureau of Investigation, 2012, https://www.fbi.gov/history/famous-cases/aldrich-ames; MI5, “Klaus Fuchs | MI5 - The Security Service,” Security Service | MI5, 2020, https://www.mi5.gov.uk/klaus-fuchs. 180 Andrews, The Secret World: A History of Intelligence. 181Andrews, 256; see also Ben MacIntyre, “Operation Mincemeat,” Bloomsbury Publishing, 2010, https://www.bloomsbury.com/uk/operation-mincemeat-9781408809211/. 182 Andrews, The Secret World: A History of Intelligence, 616–17; see also Michael Smith, The Secrets of Station X: How the Bletchley Park Codebreakers Helped Win the War (Hull: Biteback Publishing, 2011). 183 Andrews, The Secret World: A History of Intelligence, 657; see also Ben MacIntyre, Double Cross: The True Story of the D-Day Spies (London: Bloomsbury Publishing, 2012), https://www.bloomsbury.com/uk/double-cross-9781408819906/.


61

not seen. The point of counterintelligence is to attempt to defend against the physical zero-day

exploits;184 to find the insider threat; to evaluate the likelihood of information leaks and to find

and subvert intelligence agents operating under orders from foreign (and often hostile) parties.

Following Lowenthal, there are three overlapping branches of counterintelligence: collection,

defensive, and offensive.185 Counterintelligence collection involves obtaining information about

the intelligence agencies, collection, and overall activities of a hostile or conflicting party when

those efforts are concentrated on oneself or one’s allies. Defensive counterintelligence are the

efforts and operations undertaken to subvert those intelligence activities concentrated on the

intelligence operations, activities, and/or agencies of oneself or one’s allies by another actor.

Offensive counterintelligence refers to the practice of manipulating an adversary’s intelligence

activities either by flipping agents, or through a disinformation campaign.186 Per Lowenthal,

counterintelligence “refers to efforts taken to protect one’s own intelligence operations from

penetration and disruption by hostile nations of their intelligence services.”187 Paul Redmond

provides definitions accepted by the US; Russia; and the UK which all bear similarities but in fact

are not identical.188 For example, the Russian and British definitions of counterintelligence contain

reference to counter-subversion tactics and operations, whereas the American definition does not.

The general point to be made is that there are a number of alternate and/or competing definitions;

it is possible to add a number of other activities to this definition that would increase the size of

the field of counterintelligence.189 In addition to outward focused efforts where the opposition is

assumed to be foreign parties operating in or against the sovereign state domestically,

counterintelligence efforts must also include the investigation and subversion of the efforts and

operations undertaken by domestic parties on behalf of foreign states or actors, as well as for the

purposes of domestic groups for which those spies may be working.

184 A previously unknown vulnerability or flaw in a program or code, that allows hostile parties to compromise a program, device, or network. Crowdstrike, “What Is a Zero-Day Attack? | CrowdStrike,” crowdstrike.com, 2021, https://www.crowdstrike.com/cybersecurity-101/zero-day-exploit/. 185 Lowenthal, Intelligence: From Secrets to Policy, 201–2. These will also be considered further in relation to counterintelligence in cyberspace in chapter three. 186 Lowenthal, 201–2. 187 Lowenthal, 201–2. 188 Paul J. Redmond, “The Challenges of Counterintelligence,” in Intelligence: The Secret World of Spies, ed. Loch K. Johnson and James J. Wirtz, 3rd ed. (New York: Oxford University Press, 2011), 295. 189 John Ehrman, “What Are We Talking About When We Talk about Counterintelligence? - CIA,” Studies in Intelligence 53, no. 2 (2009), https://www.cia.gov/resources/csi/studies-in-intelligence/volume-53-no-2/what-are-we-talking-about-when-we-talk-about-counterintelligence-pdf-172-0kb/; Paul Redmond in Lowenthal, Intelligence: From Secrets to Policy, 202.


62

Technically speaking, counterintelligence is also both a process and a product; according to

Johnson & Wirtz, the counterintelligence process is what raw information has to go through in

order to become actionable intelligence; a counterintelligence product is the final, actionable

intelligence on the foreign intelligence activities, operations and agencies that are operating against

the target state.190

Counterintelligence is also a term of organisational nomenclature, referring to the agencies,

departments and services whose mandate is to undertake counterintelligence on behalf of the state.

In real terms, counterintelligence is partially so difficult to understand because so many actors have

different understandings of what counterintelligence is; how it functions; and what it should be.

Irrespective of the accepted official and/or organisational definition of counterintelligence,

however, there is a general acceptance of how important counterintelligence is to the continued

security of the modern state. Every major text examining the history, the evolution, and/or the

discipline of intelligence contains a section on counterintelligence and the ways in which

counterintelligence protects the sovereign state.191

Purpose

The essential purpose of counterintelligence has already been examined in the sections above;

however, there are observable changes between the requirements of counterintelligence practices

and practitioners now and counterintelligence practices and practitioners even just twenty years

ago. Because counterintelligence is a reactionary discipline and evolves with the technology of the

times, just like many other sectors of modern life, counterintelligence has undergone (and

continues to undergo) a sea change in expectations and deliverables now that so much of the

world’s business is conducted in or through cyberspace. I refer elsewhere to the problems of

volume, velocity and variety in the amount of data to which intelligence agencies have access in

my brief examination of the Snowden leaks and the extent of the National Security Agency data

dragnet.192 Due to the volume of data both already available and constantly being created, there is

also a serious veracity problem: being able to verify that the data collected is accurate. Given also

the low threshold for entry into cyberspace and the ease with which an individual can create an

enormous volume of data both verifiable and false, this forms part of the argument for dragnet

surveillance: it is impossible to know what you will need until you need it, so it is best to collect

190 Johnson and Wirtz, Intelligence, 288. 191 Andrews, The Secret World: A History of Intelligence; Johnson and Wirtz, Intelligence; Lowenthal, Intelligence: From Secrets to Policy; Taylor, “Definitions and Theories of Counterintelligence.” 192 See chapter six, section on data collection and the Internet of Things.


63

and store as much as possible so that the information pool is there for exploitation once agencies

do have a target.193

In cyberspace as much as in the physical world (if not more so), counterintelligence activities and

operations are required as active defence measures: cyberspace is an offensively advantaged

domain, and considering that counterintelligence is already a reactionary discipline, cyberspace

poses a great number of problems for counterintelligence practitioners. The zero-day exploit issue

is of constant concern to most users of cyberspace but particularly to the government agencies

and departments tasked with defence of the areas of cyberspace used regularly by state actors.

Hostile actors in possession of zero-day exploits for programs used by government devices, for

example, could provide unauthorised access to any number of sensitive or classified information

and systems. It is also a concern for offensive purposes, as actors with knowledge of a current and

un-patched zero-day exploit have leverage over every other actor in the international system that

uses that software, of which there could be tens of millions.194

In addition, the same problems that cyberspace presents to those trying to secure the activities and

interests of the state in cyberspace are also posed to corporations, groups, and individuals. Identity

theft, credit card fraud, data exfiltration and email scams are now ubiquitous in cyberspace and

barely a day goes by without a new article being published detailing how this or that actor lost

millions of clients’ personal data.195 Despite the requirement for counterintelligence having

expanded beyond the sovereign state, however, I contend that the state is still the actor with the

greatest vested interest in the resilience and security of the cyber domain, and so in the practices

of offensive and defensive counterintelligence. While the state may not be the only significant actor

193 It is worth noting that dragnet surveillance is ethically, legally, and politically problematic. 194 The WannaCry ransomware, for example, exploited a known flaw in a Microsoft system, using an NSA hacking tool called EternalBlue, stolen and then leaked by the Shadow Brokers group in April 2017 Andy Greenberg, “The Strange Journey of an NSA Zero-Day—Into Multiple Enemies’ Hands,” Wired, May 7, 2019, https://www.wired.com/story/nsa-zero-day-symantec-buckeye-china/. That same vulnerability is now known to have been in the possession of at least three actors before the 2017 WannaCry operation - China, North Korea, and Russia. Greenberg; Lily Hay Newman, “How Leaked NSA Spy Tool ‘EternalBlue’ Became a Hacker Favorite,” Wired, March 7, 2018, https://www.wired.com/story/eternalblue-leaked-nsa-spy-tool-hacked-world/. 195 BBC News, “Sony Pays up to $8m over Employees’ Hacked Data”; Josh Fruhlinger, “Marriott Data Breach FAQ: How Did It Happen and What Was the Impact?,” CSO Online, February 12, 2020, https://www.csoonline.com/article/3441220/marriott-data-breach-faq-how-did-it-happen-and-what-was-the-impact.html; Fruhlinger, “Equifax Data Breach FAQ”; Haskell-Dowland, “Facebook Data Breach”; Brian Krebs, “Adobe Breach Impacted At Least 38 Million Users – Krebs on Security,” Krebs On Security (blog), 2013, https://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-million-users/; Ragan, “Raising Awareness Quickly”; Rushe, “JP Morgan Chase Reveals Massive Data Breach Affecting 76m Households”; Cory Scott, “Protecting Our Members,” LinkedIn, May 18, 2016, https://blog.linkedin.com/2016/05/18/protecting-our-members; Martyn Williams, “Inside the Russian Hack of Yahoo: How They Did It,” CSO Online, October 4, 2017, https://www.csoonline.com/article/3180762/inside-the-russian-hack-of-yahoo-how-they-did-it.html.


64

in cyberspace,196 the positioning and responsibilities of the state with regard to domestic and

foreign policy making, as well as social order and law enforcement, ensure the centrality of the

state in analyses of cyberspace, intelligence and security. Particularly with respect to the function

of counterintelligence in cyberspace, the state is responsible for identifying and mitigating the

intelligence operations and actors of adversaries, both state and (increasingly) non-state. Given the

volume of interactions conducted in cyberspace, it is crucial that CCI be understood and

undertaken at the state level as well as the individual level. Moreover, given the ease of use in

cyberspace in relation to the conduct and diffusion of disinformation and information operations,

the counterintelligence responsibilities of the state have expanded considerably. There is a

reasonable case to argue that individual contribution to aggregate national cyber security by way

of conducting individual CCI is necessary for cyber resilience and security. Disinformation as a

CCI issue is discussed further in the penultimate chapter.

Defining cyber counterintelligence

Despite the necessity of CCI practices, there has been relatively little academic investigation and

analysis of how CCI is actually defined, understood, and applied. While many states have now

published cyber strategies and designated new agencies, branches, or departments as responsible

for securing the state in cyberspace (to include, directly or indirectly, CCI measures and standards),

the definition problem found in traditional counterintelligence is multiplied in cyberspace. Because

of the low threshold of entry to cyberspace and the immense – and growing – number of

individuals that access and use cyberspace as part of everyday life, CCI practices are actually fairly

widespread, even if individuals may not realise they are conducting CCI practices to begin with.

For example, something as simple as changing your email and social media passwords every eight

to twelve weeks can be considered active, anticipatory CCI: doing so frequently ensures that even

if a malicious actor acquires your current password and is using your accounts or devices, once the

passwords are changed, there is a chance that access will be revoked to those actors.197 However,

an article published in the Washington Post in 2018 revealed that more than 5,000 passwords used

by officials in the government of Western Australia used a variation including the word

“password”; more than 1,400 used the password “Password123” which is a worrying breach of

196 Nicolò Bussolati, “The Rise of Non-State Actors in Cyberwarfare,” in Cyberwar: Law and Ethics for Virtual Conflicts, ed. Jens David Ohlin, Kevin Govern, and Claire Finkelstein (New York: Oxford University Press, 2015), 126, https://doi.org/10.1093/acprof:oso/9780198717492.003.0007. 197 Only a chance, as they may have already constructed back doors into your applications and systems. Conversely, other experts maintain that strong, unique passwords should not need to be changed as frequently, unless a breach is suspected. See Paul A Grassi, Michael E Garcia, and James L Fenton, “Digital Identity Guidelines” (Gaithersburg, MD: National Institute of Standards and Technology, June 22, 2017), https://doi.org/10.6028/NIST.SP.800-63-3.


65

both common sense and security protocols.198 It is a demonstration of how important CCI is in

practice, and how much work remains in communicating to democratic audiences the importance

of good CCI and security practices.

Moving back to the problem of defining CCI, this is in large part due to the difficulty of settling

on a generally accepted definition of traditional counterintelligence. In addition, and considering

our great and growing reliance on cyberspace-enabled technologies, traditional counterintelligence

practices and definitions focus almost exclusively on the state as both the victim of intelligence

operations and the instigator of intelligence operations, thus making counterintelligence a state-

centric discipline. Taking into account that the focus of this thesis is on state-based CCI and the

conceptual complexities involved, I will not go into the various purposes, definitions and tools of

CCI as used by individuals or groups; it is beyond the scope of this thesis to adequately treat these

subjects. I will briefly examine these actors as they relate to state security in chapter five, but

engaging further on these actors in relation to CCI is a matter for future research.

State based definitions and practices of CCI need to evolve beyond the traditional, pre-cyber

understandings of both aggressor and victim in terms of both intelligence and counterintelligence.

The state could conceivably be a victim of malicious cyber activity conducted by individuals or

groups, and the official understanding of CCI must evolve to deal with these relatively new attack

vectors. It is no longer true that the only threat to the security of the state would be another state,

though it must be said few entities exist that could pose an existential threat to the state without

the backing of one. So, while CCI practices to an extent are generally applicable regardless of the

actor being combatted or the attack vector of the threat being mitigated, both official and academic

understandings of state security in relation to non-state parties must be developed to take into

account all threats to the state.

In Cyber counterintelligence: Concept, actors and implications for security I offered a working definition of

CCI intended to take into account all parties that could present a threat to the security of the state

198 Taylor Telford, “1,464 Western Australian Government Officials Used ‘Password123’ as Their Password. Cool, Cool.,” Washington Post, August 23, 2018, https://www.washingtonpost.com/technology/2018/08/22/western-australian-government-officials-used-password-their-password-cool-cool/. In a 2019 report by the UK’s National Cyber Security Centre, the world’s most-breached passwords are “123456” and “123456789” David Bisson, “‘123456’ Remains the World’s Most Breached Password,” Security Boulevard, April 22, 2019, https://securityboulevard.com/2019/04/123456-remains-the-worlds-most-breached-password/; National Cyber Security Centre, “Most Hacked Passwords Revealed as UK Cyber Survey Exposes Gaps in Online Security,” National Cyber Security Centre, April 21, 2019, https://www.ncsc.gov.uk/news/most-hacked-passwords-revealed-as-uk-cyber-survey-exposes-gaps-in-online-security.


66

requiring CCI to mitigate. That definition, first identified in chapter one and reiterated here, is the

one which will inform the analysis of CCI offered in this thesis:

cyber counterintelligence… concerns the methods, processes and technologies employed to prevent, identify, trace, penetrate, infiltrate, degrade, exploit and/or counteract the attempts of any entity to utilise cyberspace as the primary means and/or location of intelligence collection, transfer or exploitation; or to effect immediate, eventual, temporary or long-term negative change otherwise unlikely to occur.199

By defining CCI in this way, the intent is that all possible attack vectors are taken into account in

considering overall security in cyberspace, while retaining the intellectual coherency required for

this definition to apply. Non-state actors of various kinds and sizes are capable of affecting state

security through the collection and exploitation of intelligence, and in more ways than just a direct

attack on government servers, software, applications or data, though these are all possible targets

and will likely remain targets far into the future.200

The danger that non-state actors pose to the state in cyberspace, I would argue, is mainly through

the public loss of perceived security when democratic institutions, financial entities, the defence

forces, and health institutions suffer cyber-attacks like the ransomware that attacks on hospitals in

the UK, Germany, and the US state of Illinois,201 or the loss of client data during the JP Morgan

Chase hacks.202 These sorts of losses affect not only the reputations and profit/loss balances of

the victim institutions, but for those with a perceived link to the state, there is also a loss to the

state itself, both in revenues and in reputation. After all, if important institutions are unable to

repel cyber-attacks, and if the government of their home state is further unable to either attribute

the attacks or aid in the defences of these institutions, then that state might be vulnerable to further

attacks, from better equipped malicious actors.203 These sorts of security failures do not represent

199 O’Connor, “Cyber Counterintelligence,” 112. 200 Dale Beran, “The Return of Anonymous,” The Atlantic, August 11, 2020, https://www.theatlantic.com/technology/archive/2020/08/hacker-group-anonymous-returns/615058/; Bussolati, “The Rise of Non-State Actors in Cyberwarfare”; Nina Kollars, “Cyber Conflict as an Intelligence Competition in an Era of Open Innovation,” Texas National Security Review Special Issue: Cyber Conflict as an Intelligence Contest (2020), https://tnsr.org/roundtable/policy-roundtable-cyber-conflict-as-an-intelligence-contest/. 201 Russell Brandom, “UK Hospitals Hit with Massive Ransomware Attack - The Verge,” The Verge, May 12, 2017, https://www.theverge.com/2017/5/12/15630354/nhs-hospitals-ransomware-hack-wannacry-bitcoin; Nicole Wetsman, “Woman Dies during a Ransomware Attack on a German Hospital,” The Verge, September 17, 2020, https://www.theverge.com/2020/9/17/21443851/death-ransomware-attack-hospital-germany-cybersecurity. 202 Reuters Staff, “JPMorgan Hack Exposed Data of 83 Million, among Biggest Breaches in History,” Reuters, October 2, 2014, https://www.reuters.com/article/us-jpmorgan-cybersecurity-idUSKCN0HR23T20141002; Kim Zetter, “Four Indicted in Massive JP Morgan Chase Hack,” Wired, October 10, 2015, https://www.wired.com/2015/11/four-indicted-in-massive-jp-morgan-chase-hack/. 203 Cyber-attacks against defence contractors, for example, have resulted in states like China exfiltrating large volumes of sensitive information concerning military technologies like radar systems for fighter planes. Philip


67

an existential threat to states, but the accompanying demonstration of vulnerability to malicious

actors can undermine the public perception of (and trust in) the ability of the state to ensure the

resilience and security of critical systems. As I argue in chapter three, rather than needing to

securitise the threats posed, what these events contribute to is an elevation of cyber-enabled attacks

to a security risk, allowing for a wider array of management options and techniques, the tone and

intent of which can be communicated to the public.204 They form part of a historical record upon

which state representatives can draw when justifying further elevation of security concerns or risks,

legitimising the request for further resources or powers. Because this record exists, the state is

better able to either institute management measures, or to draw upon the record for a justification

of extraordinary powers in order to mitigate an immediate threat. Elevation perspectives allow for

a more nuanced approach to understanding the evolution of risks and threats in an increasingly

connected and cyber-enabled international system

Beyond the audience perception of state vulnerability to cyber-attacks, however, there is also the

more insidious vulnerability of public institutions to cyber-enabled threats such as disinformation

campaigns. Information is transmitted extremely rapidly through cyberspace and via cyber-enabled

platforms and devices, making disinformation campaigns both difficult to track and to counter.

Because disinformation campaigns involve the infiltration of false information into a particular

political ecology for the purpose of changing behaviour or policy in a target environment,

counterintelligence is a particularly useful framework of analysis. The decreasing integrity of the

information environment available to the general public should be of significant concern to the

state, and in fact to substate actors that also depend on information integrity to function.

Cyberspace challenges the notions of information integrity and control – cyber counterintelligence

offers a useful framework for understanding and processing the challenges of cyber-enabled

disinformation campaigns.

Disinformation

A vital aspect of counterintelligence is the production of, and response to, deliberately misleading,

false, or manipulative information: disinformation. Disinformation campaigns, defined as the

Dorling, “China Stole Plans for a New Fighter Plane, Spy Documents Have Revealed,” The Sydney Morning Herald, January 18, 2015, https://www.smh.com.au/national/china-stole-plans-for-a-new-fighter-plane-spy-documents-have-revealed-20150118-12sp1o.html; Tom Westbrook, “Joint Strike Fighter Plans Stolen in Australia Cyber Attack,” Reuters, November 10, 2017, https://www.reuters.com/article/us-australia-defence-cyber-idUSKBN1CH00F. 204 In some circumstances, public communications can include techniques for individuals to assess their own interactions with cyberspace and provide an array of tools for personal privacy assurance, or basic individual CCI practices.


68

deliberate introduction of false information into a target environment in order to instigate

behavioural or political change, is a particular concern in an era where the transmission of

information can occur instantaneously, and where the potential reach of that information is global.

Where once it may have been possible to limit the spread of disinformation due to geographical

or linguistic differences, or through the difficulty of information transmission, cyberspace and

related technologies have removed those obstacles. According to Thomas Rid, the modern era of

disinformation began around the 1920s, when the practices that had previously been considered

‘political warfare’ started evolving. Rid traces this evolution through four major ‘waves’ of

disinformation evolution.205 The first wave he identifies as having formed in the interwar period

of the late 1920s and 1930s; it was characterised by influence operations and forgeries, perfected

and used by both Eastern and Western blocs.206 During the second wave in the post-World War

II years, disinformation became a profession: for the CIA, targeted revelation of truths and

forgeries, while subversion was still called political warfare. For the Soviet Union, disinformation

became the preferred term.207 Either way, “the goals were the same: to exacerbate existing tensions

and contradictions within the adversary’s body politic, by leveraging facts, fakes, and ideally a

disorienting mix of both.”208 The third wave of disinformation Rid identifies as having evolved in

the late 1970s, and during the late Cold War years disinformation – by then active measures in the

Soviet Union – became a well-resourced art form honed to what Rid characterises as “an

operational science of global proportions, administered by a vast, well-oiled bureaucratic

machine.”209 The fourth and final wave of disinformation as identified by Rid developed in the

205 Thomas Rid, Active Measures: The Secret History of Disinformation and Political Warfare (London: Profile Books, 2020), 6. 206 Rid, 6–7; See also Alma Fryxell, “Psywar By Forgery,” Studies in Intelligence, 1961, https://doi.org/10.1037/e740372011-001. 207 According to Garth S. Jowett and Victoria O’Donnell, disinformation is another term for black propaganda: “disinformation is usually considered black propaganda because it is covert and uses false information. In fact, the word disinformation is a cognate for the Russian dezinformatsia, taken from the name of a division of the KGB devoted to black propaganda.” Garth S. Jowett and Victoria O’Donnell, Propaganda & Persuasion (Newbury Park: SAGE Publications, 2018), 23. Jowett and O’Donnell also articulate three forms of propaganda which are classified according to the acknowledged relationship to the source of information and the accuracy of the information communicated: white, grey, and black. “White propaganda comes from a source that is identified correctly, and the information in the message tends to be true…Black propaganda is when the source is concealed or credited to a false authority and spreads lies, fabrications, and deceptions…Gray propaganda is somewhere between black and white propaganda. The source may or may not be correctly identified, and the accuracy of the information is uncertain.” Jowett and O’Donnell, 17–22. See also Jacques Ellul, Propaganda: The Formation of Men’s Attitudes (New York: Vintage Books, 1973); Bruce A. Arrigo, The SAGE Encyclopedia of Surveillance, Security, and Privacy, vol. 3 (SAGE Publications, 2016), 825–28. 208 Rid, Active Measures: The Secret History of Disinformation and Political Warfare, 7. 209 Rid, 7. See also Nicholas J. Cull et al., “Soviet Subversion, Disinformation and Propaganda: How the West Fought Against It - An Analytic History, with Lessons for the Present,” LSE Consulting (London: LSE Institute of Global Affairs, 2017), https://www.lse.ac.uk/iga/assets/documents/arena/2018/Jigsaw-Soviet-Subversion-Disinformation-and-Propaganda-Final-Report.pdf; Herbert Romerstein, “Disinformation as a KGB Weapon in the Cold War,” Journal of Intelligence History 1, no. 1 (June 2001): 54–67, https://doi.org/10.1080/16161262.2001.10555046.


69

mid-2010s, with novel technologies and the internet reshaping and breathing new life into

disinformation.210 According to Rid, however, this evolution is not necessarily a positive one – the

access to increasingly large swathes of foreign populations and the ease with which this is

accomplished has resulted in disinformation campaigns that are more active than they are

measured.211 While disinformation operations are rapid-fire and multi-level, they are also more

easily identified and mitigated – where the forgeries of the second and third wave might become

institutional ‘knowledge’, and were very carefully created and disseminated, modern disinformation

is frequently identified with ease.

Rid makes a specific point which I discuss further in chapter six of this thesis, namely that

disinformation is particularly corrosive to liberal democracies because it not only reduces trust in

the democratic institutions we use and rely on to structure our societies, but it also damages our

ability to properly assess and discriminate fact from fiction when we make decisions as the relevant

audience of governments that we elect.212 Disinformation is therefore a concern at all levels of a

liberal democracy: very much for the governing administration, as disinformation is more than

anything an issue for intelligence agencies (both to conduct and to mitigate) – in a cyber-enabled

system, CCI becomes a pillar of democratic integrity and resilience. Disinformation also becomes

a threat to the democratic audience, who can be more easily targeted by adversary intelligence

communities through participation in cyberspace and particularly via the massive social media

platforms. As such, and perhaps uniquely to cyberspace, counterintelligence that can contribute to

the aggregate security of the sovereign state becomes at least partially the responsibility of the

individual, to say nothing of how the personal cyber security of the individual will increase once

CCI practices are employed – for an in-depth examination of who uses (should use) CCI, see

chapter five.

Successful disinformation operations also depend on the hostile actor’s understanding of the local

political climate and sentiments of the target state – in order to introduce a strategic narrative to

the target information ecology, the hostile actor must be in tune with ‘local’ sentiment and

emotion, have knowledge of the domestic political myths and a good grasp on the nation’s values.

210 Bente Kalsnes, “Fake News,” in Oxford Research Encyclopedia of Communication (Oxford: Oxford University Press, 2018), https://doi.org/10.1093/acrefore/9780190228613.013.809. See also Alina Polyakova and Daniel Fried, “Democratic Defense against Disinformation 2.0,” Report (Atlantic Council, June 9, 2019), https://apo.org.au/node/242041. 211 Rid, Active Measures: The Secret History of Disinformation and Political Warfare, 7. 212 Rid, 7–8. See also Don Fallis, “A Conceptual Analysis of Disinformation,” in IConference 2009 Proceedings (iConference, University of Illinois, 2009), 8, http://hdl.handle.net/2142/15205.


70

Vladimir Petrovich Ivanov, former head of the Soviet Service A (the KGB disinformation unit)

gave this description of disinformation:

Based on the analysis of all the material…the officers are obliged to find the overwhelming outbreaks of crises, dissatisfaction, friction, disagreement, rivalry and struggle in the enemy camp. The discovery of such looming crises…and then the identification of the most sensitive vulnerabilities, required scientific knowledge and a scientific approach, knowledge of the objective processes in the world and in the country of residence.213

Disinformation is usually seeded by adversary intelligence communities in order to achieve a

particular objective. Whether that objective is a specific decision by a target audience (e.g. candidate

A over candidate B), or the sowing of confusion among a population, or the degradation of the

pillars of democracy – it is seeded for a purpose. It is the responsibility and function of

counterintelligence to identify and mitigate these information operations. Disinformation

undertaken at scale that is not mitigated can have national and even international effects – consider

the disinformation surrounding the COVID-19 vaccinations that is being circulated by the Russian

Federation, as an example.214 COVID-19 disinformation will be briefly considered in a vignette in

chapter six in the context of a broader discussion on the importance of audiences in efficient CCI.

Instantaneous communication and transmission of data has increased not only the reach of

disinformation campaigns, but the sectors in which it is possible for these campaigns to adversely

affect the target. That these campaigns are often informed and enabled through the exploitation

of intelligence gathered through prior operations make them a particular concern to democratic

states – in order to enhance the cyber security position of the state, the intelligence apparatus' need

to elevate the response to disinformation through the instigation of CCI measures and education.

Misinformation

Misinformation is not the same as disinformation; while similar, the terms should not be used

interchangeably. Misinformation refers to information which is “unintentionally inaccurate or

misinterpreted,”215 whereas disinformation is “deliberately false or misleading information”216 that

is communicated in order to achieve a particular political goal. Misinformation can be dangerous

to liberal democracies in similar ways as disinformation, in that democratic audiences are as

213 Rid 2020 p.315 214 OECD, “Combatting COVID-19 Disinformation on Online Platforms,” July 3, 2020, https://www.oecd.org/coronavirus/policy-responses/combatting-covid-19-disinformation-on-online-platforms-d854ec48/; Scott, “In Race for Coronavirus Vaccine, Russia Turns to Disinformation,” POLITICO, November 19, 2020, https://www.politico.eu/article/covid-vaccine-disinformation-russia/. 215 Jennifer Hunt, “The COVID-19 Pandemic vs Post-Truth” (Global Health Security Network, 2020), 5, https://www.ghsn.org/resources/Documents/GHSN%20Policy%20Report%201.pdf. 216 Hunt, 5.


71

susceptible to believing misinformation as they are to disinformation: psychologically, on the side

of the target, there is no difference - the information is false. Instead, the difference lies in the

intent and the origin. Misinformation is false information, but it is unintentionally so –

misunderstanding or misinterpretation has resulted in the belief of the inaccurate information.

Those who communicate misinformation, then, do so in the belief that what they are conveying is

true: there is no inherent malicious intent. Regardless of malicious intent, however, the

communication of inaccurate or misleading information can still cause damage to institutional and

democratic legitimacy and integrity. There can also be far-reaching implications if false information

is transmitted to large segments of the population, as with global health or political conspiracy

theories. As such, misinformation may not be introduced maliciously into an information ecology,

but it still has the potential to damage political and democratic integrity through the acceptance of

misleading or inaccurate information into the belief structures of the democratic audience. It is

therefore a counterintelligence requirement to identify and mitigate the effects of misinformation

as soon as practicable. In relation to both disinformation and misinformation, it is crucial that

governments recognise the risks to audience psychology of such information operations and

manage those risks accordingly. I discuss this in detail in chapter six.

Conspiracy theories

Conspiracy theories are a form of misinformation,217 in that they are created, supported, and

communicated (for the most part) by communities of individuals who genuinely believe that their

theory is grounded in evidence and within the bounds of belief with sufficient explanation. Some

conspiracy theories are well known; that Area 51 contains aliens that crash-landed in Roswell, for

example.218 That Neil Armstrong never landed on the moon,219 or that climate change is an

imposed fiction are other examples.220 The individuals that engage in these communities do so out

217 Though I note here that conspiracy theories may be deliberately created, seeded, spread, and maintained as active disinformation programs. While ordinarily characterisable as misinformation, it is important to remember that conspiracy theories can just as easily have their origins in disinformation and influence campaigns: disinformation and misinformation are not mutually exclusive. 218 Shelley E. McGinnis, “Dallas, Roswell, Area 51: A Social History of American ‘Conspiracy Tourism.’” (Chapel Hill, University of North Carolina, 2010); Martin Parker, “Human Science as Conspiracy Theory,” The Sociological Review 48, no. 2 (2000): 191–207; Lucianne Walkowicz, “The Source of UFO Fascination,” Issues in Science and Technology 35, no. 4 (2019): 12–14. 219 Lauren Nowakowski, “The Moon Landing: Fake Movie Set or the Real Deal?,” The Psychology of Extraordinary Beliefs, March 29, 2019, https://u.osu.edu/vanzandt/2019/03/; Viren Swami et al., “Lunar Lies: The Impact of Informational Framing and Individual Differences in Shaping Conspiracist Beliefs About the Moon Landings,” Applied Cognitive Psychology 27, no. 1 (2013): 71–80, https://doi.org/10.1002/acp.2873. 220 Karen M. Douglas and Robbie M. Sutton, “Climate Change: Why the Conspiracy Theories Are Dangerous - Karen M. Douglas, Robbie M. Sutton, 2015,” Bulletin of the Atomic Scientists 71, no. 2 (2015): 98–106, https://doi.org/10.1177/0096340215571908; Joseph E. Uscinski, Karen Douglas, and Stephan Lewandowsky, “Climate Change Conspiracy Theories,” in Oxford Research Encyclopedia of Climate Science (Oxford: Oxford University Press, 2017), https://doi.org/10.1093/acrefore/9780190228620.013.328.


72

of belief. They can also be incredibly damaging, as recognised by Jennifer Hunt – “[i]n 2019, the

Federal Bureau of Investigation (FBI) identified conspiracy theories as a form of domestic

extremism in that they channel violence toward perceived enemies, writing that ‘these conspiracy

theories very likely encourage the targeting of specific people, places, and organisation.’”221

Particularly in the wake of the domestic unrest in the US and the contributions of senior political

leaders to the misinformation surrounding the 2018 and 2020 elections, as well as the ongoing

impacts of the novel coronavirus pandemic, conspiracy theories are taking on an increasingly

violent nature.222

Propaganda

Another related concept and political communication tool is propaganda. Recent research has

indicated that the Russian Federation is employing disinformation against Western-developed and

produced COVID-19 vaccines, with the presumed intent of garnering further support for and

purchase of Russia’s own Sputnik vaccine.223 Coronavirus conspiracy theories will be discussed

further in chapter six. According to Mark Lowenthal, propaganda is a synonym for

disinformation.224 While they are certainly related, I disagree that they are one and the same.

Whereas disinformation is false information communicated in the express pursuit of a political

goal, propaganda can just as easily (and often does) contain completely accurate information. I do,

however, agree with Lowenthal’s specific definition of propaganda, which he identifies as “the old

political technique of disseminating information that has been created with a specific political

outcome in mind. Propaganda can be used to support individuals or groups friendly to one’s own

side or to undermine one’s opponents.”225 Jason Stanley has a different, but complementary,

221 Hunt, “The COVID-19 Pandemic vs Post-Truth,” 6. 222 Arthur C. Brooks, “Opinion | Conspiracy Theories Are a Dangerous Threat to Our Democracy,” Washington Post, September 3, 2019, https://www.washingtonpost.com/opinions/2019/09/03/conspiracy-theories-are-dangerous-threat-our-democracy/; John Cook and Stephan Lewandowsky, “Coronavirus Conspiracy Theories Are Dangerous – Here’s How to Stop Them Spreading,” The Conversation, April 20, 2020, http://theconversation.com/coronavirus-conspiracy-theories-are-dangerous-heres-how-to-stop-them-spreading-136564; Graham Lawton, “Conspiracy Theories,” New Scientist, 2021, https://www.newscientist.com/definition/conspiracy-theories/; N.C., “Conspiracy Theories Are Dangerous—Here’s How to Crush Them,” The Economist, August 12, 2019, https://www.economist.com/open-future/2019/08/12/conspiracy-theories-are-dangerous-heres-how-to-crush-them. 223 Michael R. Gordon and Dustin Volz, “Russian Disinformation Campaign Aims to Undermine Confidence in Pfizer, Other Covid-19 Vaccines, U.S. Officials Say,” Wall Street Journal, March 7, 2021, sec. Politics, https://www.wsj.com/articles/russian-disinformation-campaign-aims-to-undermine-confidence-in-pfizer-other-covid-19-vaccines-u-s-officials-say-11615129200; Scott, “In Race for Coronavirus Vaccine, Russia Turns to Disinformation”; Mark Scott and Carlo Martuscelli, “Meet Sputnik V, Russia’s Trash-Talking Coronavirus Vaccine,” Politico, April 1, 2021, https://www.politico.eu/article/russia-coronavirus-vaccine-disinformation-sputnik/; Elise Thomas, “Covid-19 Disinformation Campaigns Shift Focus to Vaccines,” The Strategist, August 23, 2020, https://www.aspistrategist.org.au/covid-19-disinformation-campaigns-shift-focus-to-vaccines/. 224 Lowenthal, Intelligence: From Secrets to Policy, 235. 225 Lowenthal, 235.


73

understanding226 of propaganda, defining it as political rhetoric. Stanley identifies a significant

problem in relation to liberal democracy that is best described as ‘harmful propaganda’: if the

political rhetoric causing the harm cannot be mitigated, then the epistemic basis of liberal

democracy is flawed and in fact we cannot continue to use the descriptor of liberal democracy.227

He makes the link between successful propaganda and belief structures as well, which I examine

further in chapter six. That link also explains the increase in both conspiracy theory communities

and the subsequent rise in violence against those who are not members of that community, an

example of in-group/out-group thinking (or enmity and exclusion dynamics, discussed earlier in

this chapter through the examination of Schmittian realism).228 According to Stanley,

…the mechanisms that underlie effective propaganda are implicated even in barriers to liberal democracy that seem not to involve them…underlying effective propaganda are certain kinds of group identities. Some group identities lead to the formation of beliefs that are difficult to rationally abandon, since abandoning them would lead them to challenge our self-worth. When our identity is tied up with that of a particular group, we may become irrational in these ways. When this occurs, when our group affiliates are such as to lead us to these kind of rigidly-held beliefs, we become especially susceptible to propaganda.229

The belief persistence in communities with group identities can result in irrational behaviour, and

the persistent faith in information that can be credibly proven wrong. Adversaries and hostile

actors, with sufficient knowledge of the local political myths and the sentiment of the target

populations, can take advantage of the group identity to impose external strategic narratives that

benefit the adversary. In other words, if propaganda is understood as political rhetoric designed

and communicated to induce a specific political outcome, effective propaganda threatens both the

audience and the integrity of liberal democracies. Counterintelligence measures need to be

designed and undertaken to identify and mitigate propaganda operations, as they may have

negative effects on audience beliefs, belief structures and behaviour. Counterintelligence actors

can also use propaganda as a countermeasure in counter-propaganda operations, thus engaging in

proactive counterintelligence. Because cyberspace enables ease of access to target audiences, cyber-

enabled propaganda operations have the potential for pervasive effect and broad distribution,

requiring a concentrated and organised response.

226 Jason Stanley, How Propaganda Works (Princeton: Princeton University Press, 2015), 4. 227 Stanley, 10–11. 228 Stanley, 10–11. 229 Stanley, 19.


74

Computational propaganda

The widespread access to cyberspace and the internet, as well as the broad audience participation

in massive social media platforms, has encouraged a milieu in which computational propaganda is

capable of shaping public debate and inducing both psychological and behavioural change in

targeted populations. “Computational propaganda – the use of algorithms, automation and big

data to shape public life – is becoming a pervasive and ubiquitous part of everyday life.”230 This is

not a tool specific to hostile actors, in any respect – generic advertising uses computational

propaganda to induce customer purchases, for example. The use of computational propaganda,

however, can massively increase the reach and impact of disinformation and interference

campaigns. Computational propaganda can serve as a form of information control or information

laundering, where certain facts or sources (accurate or otherwise) can be signal-boosted by bot

accounts in order to gain traction in mainstream media, thus increasing the size of the recipient

population. The necessity for effective and efficient CCI becomes more stringent in the face of

computational propaganda tools, which can signal-boost and transmit disinformation faster and

more effectively than human agents or even networks of agents. Computational propaganda can

also be employed in counterintelligence operations, as it is itself a neutral set of tools and tactics.

Computational propaganda, and particularly the use of social media and communications

platforms in relation to disinformation and foreign interference, are themes I return to in the sixth

chapter of this thesis.

Conclusion

This chapter has provided a broad overview of the relevant bodies of literature necessary to answer

the question with which the research engages: how state threat perception of cyberspace has

developed, and how or whether that perception is influencing the evolution of CCI as a response

to cyber-enabled threats, such as disinformation. In assessing the literature on traditional

securitisation theories, I reached the conclusion that rather than viewing securitisation as a process

of social construction of threats, an evolution and modernisation of the framework is necessary in

order to answer my research question. Instead of social construction of threat, political concerns

undergo threat elevation processes that are based on, and justified by, pre-existing security

conditions.

230 Samantha Bradshaw and Philip N. Howard, “The Global Disinformation Order: 2019 Global Inventory of Organised Social Media Manipulation” (Oxford: University of Oxford Computational Propaganda Research Project, 2019), i, https://demtech.oii.ox.ac.uk/wp-content/uploads/sites/93/2019/09/CyberTroop-Report19.pdf?utm_source=newsletter&utm_medium=email&utm_campaign=timestop10_daily_newsletter.


75

This more nuanced understanding of the elevation of threats also informs the second body of

literature addressed in this chapter: that of traditional counterintelligence, which must also evolve

in order to adequately counter information operations in the cyber age. I discussed the

development and purpose of traditional counterintelligence before using that literature review to

lay the foundation of future chapters by examining how CCI should be defined.

Counterintelligence provides a useful framework through which to understand the problems posed

by instantaneous communications technologies, like the decreasing integrity of information that

informs polities. The final section of this chapter reviewed the literature relation to disinformation,

providing a brief discussion of the development and use of disinformation, and how it is

differentiated from other forms of false or misleading information. Modern disinformation

campaigns are increasingly conducted through cyber-enabled technologies and platforms, and are

informed by and affect intelligence collection and exploitation, making them a particular problem

for counterintelligence actors. Having laid this foundation, the next chapter articulates the threat

elevation analysis framework which is used as the analytical lens for the remainder of the thesis.

76

3 - Threat Elevation Analysis In this chapter, I offer an alternative conception of securitisation theory than that of the

Copenhagen School. As I subsequently argue, developing this alternative view allows for a more

practical and comprehensive view of cyber counterintelligence (CCI). Where traditional

counterintelligence was the explicit purview of the state actor, in a cyber-enabled information age,

there is a growing necessity for substate actors to also engage in CCI measures in order to

contribute to the overall cyber security of the state. Cyber counterintelligence is one of the four

branches of cyber security identified in the introduction to this thesis – see Figure 1 The Elements

of Cyber Security. How then can we assess whether or not the importance of CCI has been

adequately recognised and supported in national security policies and documentation? A nuanced

analytical framework that recognises the broader array of securitising actors, methods of discursive

legitimation of threat elevation, and contemporary supra- and interstate security concerns such as

disinformation will inform the examination of CCI understanding and implementation.

In the traditional view, securitisation is a process by which an issue is constructed as a security

threat via a speech act, a performative act of discourse designed to convince a particular audience

of the existentially threatening nature of the chosen issue (designated threat) to the state. I argue

that, rather than accept that the process of securitisation constructs threats without relevant

evidence to support the claim of existential danger, that securitisation should be viewed as a

process of elevation. As an elevation process, securitisation would thereby take into account such

variables as the historical relationship between the hostile or conflicting parties, and the evidence

for which a claim of existential threat is being made. There would need to be a record of risk, both

actual and perceived, such that there is a pre-existing reasonable belief that the hostile party in

question is capable of presenting an existential threat to the state or its interests. In this respect,

securitisation as a threat elevation engages more with realist understandings of the effects of pre-

existing structural conditions without negating the basic functions of the securitisation framework.

Moreover, this reconstruction of the notion of securitisation as threat elevation has significant

implications for CCI.

Securitisation as Threat Elevation Theory

Securitisation theory herein understood is not a method or theory of (social) construction of

threats within the field of critical security studies. Rather, it is a method, or theory, of elevation from

political issue to security threat, requiring and resulting in the creation or change of actionable

policy. With this overall concept in mind, this chapter will examine and build on the concept of


77

securitisation as elevation, reformulating existing securitisation theory into a framework that is

applicable and relevant in the modern context. It provides answers to the questions - what are the

pillars of elevation theory? How do the changes made to the original securitisation framework

contribute to a better understanding on the development, use, and exploitation of cyberspace?

Once established, elevation theory will be used to examine how, or if, cyberspace has been

securitised within an analysis of the history and development of the cyber domain. When did

cyberspace become an attack vector, and how? What have been the responses to the weaponisation

of cyberspace by actors within the identified collectives? How has all of this impacted on the field

of intelligence? Again, in addition to elevation being a relevant contribution to security studies, this

is in service of providing a better and more effective way of understanding and applying CCI.

Difference to Traditional CST

Traditional or Copenhagen securitisation theory (CST) forms the foundation upon which all

successive forms of securitisation were built. As such, I have made minimal changes to the number

or type of variables that must be taken into account for a securitisation process according to

elevation theory. One possible criticism of this approach is that by utilising an incredibly similar

analytical toolbox to construct my variant theory, the resulting framework will lack sufficient

disparity to produce any ‘new’ knowledge. My answer to this criticism is that broadly speaking,

most international relations theories draw from the same box of variables in their analysis. The

merit of any particular international relations theory, whether from realist, liberal, or constructivist

schools of thought, is based upon the utility of the conclusions that can be reached using that

framework’s particular analytical lens. Elevation theory is one such lens.

The primary difference between traditional securitisation theories and elevation theory is the

presumption of historical relationship between parties in a state of conflict or pre-conflict. I argue

that conflict at the international level, be it regional or global, cannot spark from nothing. Every

country has a historical relationship upon which decisions of alliance, amity or enmity are based.

This cannot be doubted, for these relationships influence and are influenced by political and

military decisions every day, and have been since the creation of the modern Westphalian state

system in 1648.231 It is the change in balance of any one or more of these relationships that will

cause the actions of the state in question to be considered more or less hostile. We should not

231 Geoffrey Wiseman and Paul Sharp, “Diplomacy,” in An Introduction to International Relations, ed. Anthony Burke, Jim George, and Richard Devetak, 2nd ed. (Cambridge: Cambridge University Press, 2011), 259, https://doi.org/10.1017/CBO9781139196598.022.

Chapter 3 - Threat elevation analysis

78

confuse this concept with balance of power theory,232 because elevation theory is not concerned

with the construction or breakdown of alliances and bandwagons in the international system and

the consequent breakdown of power relationships. Elevation theory instead seeks to explain how

an issue becomes an existential security threat, the process through which it must go before it can be

the instigating factor of a securitising move by a relevant actor with legitimate authority to speak

security. This process, which traditional securitisation theory sees as one of (social) construction,

in the theoretical framework offered by this thesis becomes a process of elevation based on existing

variables, both provable and perceived.

Threat Elevation Process

Recall from chapter two that CST is the general theory that threats are securitised, and

extraordinary powers of mitigation engaged, when a legitimate actor speaks security before a

relevant audience. In contrast to securitisation, I am presenting here a process of threat elevation.

The threat elevation process begins, at base, with either an examination, or at least a general

understanding, of the historical relationship between hostile or conflicting parties, and how the

recent actions of those parties ought to be understood in light of that relationship. It could be

argued that any single existential threat is either an action, or the result of an action, by either an

adversary or the state that is securitising a perceived threat. If such is the case, then there must be

evidentiary support in the recent or historical relationship between conflicting parties that would

lend credence to the perception of malicious intent and subsequent threat of danger. It would be

difficult, if not impossible, to securitise an issue that has not previously been considered

threatening in one way or another.

This is where elevation theory departs from traditional securitisation theory. In CST, presumably,

any political issue or concern can be securitised as long as the securitising actor can convincingly

represent that issue or concern as existentially threatening to the referent object (that object

typically being the sovereign state).233 The introduction of the historical relationship as variable,

and the foundation of elevation theory, depend on a pre-existing acknowledgement of the threat

that a party has, or could represent. This acknowledgement must be based at least in part on the

historical record, or there would be no grounds for a securitisation. It is unlikely that a threat of

232 A discussion of balance of power theory is beyond the scope of this thesis. See Partha Chatterjee, “The Classical Balance of Power Theory,” Journal of Peace Research 9, no. 1 (1972): 51–61; T. V. Paul, James J. Wirtz, and Michel Fortmann, Balance of Power: Theory and Practice in the 21st Century (Stanford University Press, 2004). 233 Though as noted in chapter two, this is dependent on the referent object and in some significant part, the sector being securitised.


79

existential nature could appear from absolutely nothing, and I hold that no statesman would

attempt to securitise an issue if there is no record of past threat or danger. It would prove extremely

difficult to persuade a relevant audience to perceive danger where danger, or at least threat of

danger has not previously existed. Any issue which could conceivably be securitised, then, must

already be on the radar of political and/or military authorities, and, to some degree, their audience.

If this is the case, then such an issue cannot be constructed as a security threat, because the threat

or the potential of threat has already been acknowledged to exist. If a threat already exists, albeit

as an object of concern or a political issue, then it must be elevated if the danger surrounding said

issue increases. Thus, securitisation is the process by which a political concern becomes a security

threat.

The political issues or concerns that are the subject of an elevation process can be separated into

three broad categories, which I have labelled first, second, or third order. Figure 5 - Securitisation

and the orders of concern (see next page) is a pyramidal depiction of the three. Third order

concerns are those within the bounds of normal politics. These issues can be resolved within the

normal institutional (political) processes, and are not necessarily of military concern. Certainly, they

are not considered threatening enough to require an excess of attention or in need of extraordinary

measures to mitigate. Generally speaking, elevation theory is concerned with the second and third

orders, and the journeys and transitions between the three orders of concern. The second order

issues are those which are currently being riskified; they have been identified as risks or threats to

state security and are in need of more attention than third order issues but are not yet considered

existentially threatening. First order issues are those issues which have been fully securitised; they

are completely beyond the realms of normal politics and regular institutional processes; they

require extraordinary measures of threat mitigation and represent an existential threat to the state,

whether perceived or real. The journey from third order to second order is the riskification process,

and the journey from second to first order the securitising process. The whole process is one of

elevation, with riskification concerned with the transition from first to second order issues, and

securitisation concerned with the transition from second to first. Riskification was first identified

and elaborated by Olaf Corry, and his work has greatly influenced the elevation theory

framework.234 In order to properly understand elevation theory, I will now examine these separate

but related processes.

234 Corry, “Securitisation and ‘Riskification.’”


80

Riskification and Securitisation in Cyberspace

As defined by Olaf Corry, riskification is a process by which an issue is identified as a possible

security threat and mitigated as such. 235 A security risk, of course, is not at the same level of danger

as a threat in the sense of securitisation theory (any variant), in which the threat is considered

existential. It is important, as stated in Corry’s work, to differentiate between those issues or

concerns which are risks, and those which are threats and thus likely to be the subject of a

securitising process. However, for the purposes of this thesis, Corry’s elaboration of the nature of

the process of riskification will be adopted as part of the securitisation framework. In riskification

according to Corry, it is perfectly acceptable to designate something as a risk and no social

construction of threat is required: it is assumed that the acknowledgement of the risk is a settled

matter amongst those that handle security concerns. As such, no speech act is required in order to

designate a risk, and threat construction only becomes a variable when the risk increases to the

point of requiring a securitisation process. This is one of the primary differences between

riskification and securitisation as theoretical frameworks — the focus on the element of risk is why

second order concerns in elevation theory have been nested within the riskification framework.

Elevation performs a crucial intermediary function between third order concerns (which can be

handled through regular institutional process and thus constitute normal politics) and first order

concerns (which are or have been the subject of securitisation and require extraordinary measures

of threat mitigation) – refer to Figure 5 - Securitisation and the orders of concern.

235 Corry.


81

Figure 5 - Securitisation and the orders of concern

The true differences between a security risk and a security threat, as outlined by Corry, are the

sense of immediacy of the problem at hand and the existential nature of that problem.236 A risk is

“a scenario necessarily located in the future which is connected to a policy proposal [that offers] a

way of preventing that risk from materialising into real harm,”237 whereas a threat is necessarily

more immediate a danger and thus a concern of the first order. Therefore, second order risks have

been acknowledged as having the potential to become a threat but do not (at present) pose enough

actual or perceived danger to be elevated to a first order threat. If, and only if, the nature of the

risk changes such that the dangers posed are imminent and potentially existential, can that risk

even qualify as a potentially securitisable concern.

This is also where the notion of historical relationship and record of malicious or hostile intent

must be considered. If a hostile party or a security concern has already been riskified, and this has

already been acknowledged as a potential threat, then while it can be elevated through securitisation,

it cannot be constructed. There must be evidence of potential danger in order for something to be

236 Corry, 244. 237 Corry, 244.


82

designated a risk in the first instance. And of course, without that acknowledgement of danger, a

third order concern is unlikely to be successfully securitised and thus raised to a first order concern,

by even the most legitimate and authoritative of actors.

After an issue has been riskified, if the potential danger posed is perceived to increase or be

extremely likely to increase, and it poses some (or can be presented as posing some) existential risk

to a given referent, then that issue becomes securitisable. The journey an issue undertakes from

second order risks (having been successfully riskified) to first order threats, is the securitising

process itself. The reverse of this process, wherein threats are de-securitised and risks are de-

riskified, is called threat attenuation.238

This is where the interaction of the exigent variables occurs, where the legitimate actor authorised

to speak security performs the speech act before a relevant audience, with the intent of convincing

that audience of the existential nature of the threat in question. The ultimate goal of the securitising

process, a successful securitisation, sees that actor or a legitimate (institutional) body of their

choosing imbued with extraordinary powers (outside the norm for institutional processes) to

undertake extraordinary measures of threat mitigation in the face of that (perceived) threat. It

should be noted that even in the case of a successful riskification, there is no guarantee that any

given securitising process will be successful. There is also no guarantee that a securitisation that

might be considered morally necessary (such as environmental security) will be successful in the

face of economic, military, and political commitments, pressures and consequences. Elevation

theory does not seek to provide a moral explanation or analysis of how a political concern becomes

a security threat; it simply seeks to explain how the securitisation framework is best utilised to

analyse the process of elevation between third, second, and first-order security concerns. In other

words, to elevate a third order concern to a second order risk, the issue must undergo riskification.

To elevate a second order risk to a first order threat, the issue must undergo securitisation.

238 Threat attenuation receives less attention in this thesis than threat elevation, in large part due to the premise that if threat mitigation and/or risk management measures are successful, then those threats/risks have by definition undergone threat attenuation. Mitigation and management are attenuation practices. I acknowledge that this is an area of threat elevation analysis which necessitates further development, but it is beyond the scope of this thesis, as my focus is on the perceived threat elevation of cyberspace.


83

Relevance and Applicability

As many scholars have noted, and as has been discussed in earlier sections of this thesis, the

securitisation framework as outlined by Buzan, Waever and de Wilde has several weaknesses.239 In

chapter two, one of the weaknesses that I identified was the assumption that the securitising

process examined and explained the way in which an individual or representative of a given group

constructed a security threat, as though from thin air. One would logically assume that for the

purposes of the speech act at least, evidence would be required to prove existential threat to the

relevant audience before extraordinary powers would be granted, or even to convince the audience

of the existential nature of a given threat in the first instance. However, I was unable to find an

examination of this particular issue in the literature surveyed, and it is to fill this apparent gap in

the literature that I have constructed elevation theory as an alternative. By introducing the variables

of historical relationship and evidentiary support of (perceived) threat of/or danger, the

securitising process becomes one of threat elevation rather than threat construction. In so doing,

elevation theory moves to occupy a type of middle ground between its original constructivist field

of theory, and the more structural, military-focused realist field of theory. The three-tiered

approach to understanding the various levels of threat, with the riskification process representing

the transition between the third and second orders of concern, and the securitisation process

representing the transition between the second and first orders of concern, offers a framework

which can be easily applied to a multiplicity of scenarios.

This applicability to a wide range of potential scenarios is particularly useful when analysing long-

term securitising processes. When securitisation is considered an elevation process rather than a

bottom-up construction process, there is the possibility of analysing or examining greater time

spans. Particularly at the international and global scale, the rise of security threats from political

concerns often take place over a period of months or even years, with a multitude of speech acts

and even securitising actors before the securitisation is complete and/or successful.240 It may be

possible to point to one particular speech act and identify it as the conclusive securitising move,

but that may also be inordinately difficult. In elevation theory, any number of securitising acts over

a given period of time can contribute to the elevation from political concern to risk, or from risk

to fully securitised threat. In the current digital age, with near-instantaneous media coverage of

239 Knudsen, “Post-Copenhagen Security Studies: Desecuritizing Securitization”; McDonald, “Securitization and the Construction of Security”; Williams, “Words, Images, Enemies”; Williams, “Securitization as Political Theory: The Politics of the Extraordinary.” 240 This is not to discount swiftly-rising or ‘surprise’ threats, though it could be argued that with the benefit of hindsight and the elevation framework, the growth of a threat can always be traced and analysed. Elevation theory is not a predictive framework; it is ex post facto analytic.


84

every newsworthy issue globally, we have become accustomed to hearing about the ‘threats’ almost

as soon as they become apparent. However, by becoming inured to the spectacularised threats,

people may have become less aware of the broad range of threats which have not necessarily been

deemed spectacular enough for mediatisation. In an age where almost everything is available

immediately, our view of security has narrowed both in focus and in time; fewer people are aware

of the ‘broader picture,’ as it were, because as a general rule we have a higher disregard of the

middle-to-distant past than previous generations. This is a clear and concerning analytical oversight

on the part of citizens, academics, policymakers, and the media that deliver us so much news, so

rapidly. Reintroducing the value of time (in elevation theory) is an attempt to extend analytic

perspicacity such that a greater understanding of security threats is possible.

In terms of applying elevation theory to cyberspace, and eventually CCI as the primary focus of

this thesis, the element of time is particularly important. While cyberspace (and the Internet) in its

current form is what we as a people are most familiar with, both cyberspace and the Internet have

existed for decades, albeit in different forms. The elevation of cyberspace from a technological

and communications miracle, to a political concern, to a military risk, to a security threat took place

over a period of decades rather than weeks or months. While there are highly mediatised instances

of cyber-attacks and exploitation that it would be possible to identify as having instigated

securitising moves, it is impossible to identify a singular instance to which the securitisation of

cyberspace (in the original terms of threat construction rather than elevation) can be traced.241 It has

been a process of elevation spanning decades. Like the juggernaut that cyberspace is, it has only

been recently, as use and exploitation of cyberspace and related technologies has increased

monumentally, that the public at large have begun to realise the vulnerabilities that cyberspace can,

has, and will represent to general understandings of security.

The Threat Elevation of Cyberspace

In many respects, it is possible to state that cyberspace has been elevated whether this is

acknowledged and admitted, or not. Entire security industries have been built around the

opportunity and the vulnerability of cyberspace. The emergence at the end of the twentieth century

of official computer emergency response teams, or CERTs, is proof that cyberspace was moving

through an elevation process.242 CERTs indicate that cyberspace at the least has been successfully

241 This point is borne out in the case study of the UK, presented in chapter four. 242 European Union Agency for Cybersecurity, “CSIRT Inventory,” Topic, ENISA | European Union Agency for Cybersecurity, 2021, https://www.enisa.europa.eu/topics/csirts-in-europe/csirt-inventory; International Cyber


85

riskified, and is an issue no longer solely confined within the bounds of normal politics. It has only

been in recent years, however, that cyberspace has been subject to the securitising process: more

evidence is becoming available to suggest that the use of cyberspace as an attack vector is increasing

in both volume and severity.243 Information that previously would have been extremely difficult (if

not impossible) to obtain except through meticulous intelligence operations may now be easier to

acquire through cyberspace. In addition to both state and non-state actors having the capacity to

launch cyber-attacks on vulnerable infrastructures, cyberspace is an intelligence vulnerability as

well. Terabytes of information are exfiltrated and exploited every year, and it is often improbably

difficult to attribute attacks to a specific party.244 These factors, among others, have contributed to

the elevation of perceived danger, both real and potential, of cyberspace.

Having examined traditional securitisation theory, and offered an elevation variant that I believe

to be particularly applicable to cyberspace as well as being a relevant analytical tool for any conflict

situation, this section will now analyse the development of cyberspace as we know it today, through

the lens of elevation theory. If securitisation is a process of elevation, then we should be able to

examine the recent history of cyberspace in such a way that the process from technological marvel

to security threat is not only evident, but occurs in a logical sequence with the requisite evidentiary

support. In addition, the nature of the relationship between parties that have perpetrated and

suffered cyber-attacks and/or exploitation during the period examined will also bear upon our

understanding of the nature of the elevation process. I posit that the threat perception of

cyberspace has been elevated on two levels, albeit not mutually exclusive: elevation has occurred

at the individual state level, and it has also occurred at the international (global) level. The manner

in which individual states have elevated, or are elevating the threat perception of cyberspace has

contributed to a global threat elevation process, which is in turn affecting the manner in which

Center, “C.E.R.T in Rest of the World,” International Cyber Center | George Mason University, 2021, http://www.internationalcybercenter.org/certicc/certworld; United Nations Institute for Disarmament Research, “The Cyber Index: International Security Trends and Realities” (Geneva: United Nations Institute for Disarmament Research, 2013), https://www.unidir.org/files/publications/pdfs/cyber-index-2013-en-463.pdf. 243 Adi Gaskell, “The Rise in State-Sponsored Hacking in 2020,” CyberNews, February 5, 2020, https://cybernews.com/security/the-rise-in-state-sponsored-hacking/; Interpol, “INTERPOL Report Shows Alarming Rate of Cyberattacks during COVID-19,” Interpol, August 4, 2020, https://www.interpol.int/en/News-and-Events/News/2020/INTERPOL-report-shows-alarming-rate-of-cyberattacks-during-COVID-19; Sean Joyce et al., “How to Protect Your Companies from Rising Cyber Attacks and Fraud amid the COVID-19 Outbreak,” PwC, March 2, 2021, https://www.pwc.com/us/en/library/covid-19/cyber-attacks.html. 244 Collin S. Allan, “Attribution Issues in Cyberspace,” Chicago-Kent Journal of International and Comparative Law 13, no. 2 (2013 2012): 55–83; David D. Clark and Susan Landau, “Untangling Attribution,” in Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy (Washington, D.C.: National Research Council of the National Academies, 2010), 25–40, https://doi.org/10.17226/12997; Thomas Rid and Ben Buchanan, “Hacking Democracy,” SAIS Review of International Affairs 38, no. 1 (2018): 3–16, https://doi.org/10.1353/sais.2018.0001.


86

states perceive the cyber domain. The self-reinforcing nature of cyberspace elevation is not

particular to the cyber domain, and could be observed in other contexts as part of the elevation

framework. Outside influence and perception is an integral part of the elevation framework, and

third-party perception of or response to the (perceived) threat of cyberspace could in fact be the

instigating event that begins a riskification or securitisation process.

Elements of Threat Elevation Analysis

I turn now to how the elevation process affects the elements of securitisation identified in chapter

two. In large part, the interaction of the elements of securitisation remain the same when examined

through the lens of elevation theory. There will be some differences, usually to modernise a part

such that it is more applicable to a contemporary political system where digital technologies are

proliferating rapidly.

The Speech Act

As discussed in chapter two, there have been several criticisms of the concept of the speech act,

usually in terms of what differentiates a securitising speech act from a general political speech.245

In a digitalised society such as we now have across the majority of the world, for a securitisation

process to be valid only when instigated through a speech act performed by a legitimate actor is

unreasonable. Whereas in the past a much smaller echelon of individuals dealt in concerns that

could threaten the state and public communication surrounding national security concerns was

less common, in modern times, communications are instantaneous and the broadcast media have

just as much chance of instigating a riskifying or securitising process as some elected officials. This

is due in part to the media having been given the legitimacy and authority to transmit, analyse, and

opine on issues of security almost immediately after those issues become apparent.

If we take once again the September 11 attacks as an example, mere moments after the first Tower

was hit, the disaster was being broadcast worldwide in real time; small children in New Zealand

kitchens watched the second Tower being hit at near the same time as those on the streets of

Manhattan.246 If, as previously discussed, a discursive legitimating act can include transmission of

ideas by more than one medium (i.e., the spoken word), then the image of the Towers billowing

smoke just before collapsing was the instigating discursive act securitising, across the world,

245 See chapter one, section concerning the speech act. 246 This author speaks from experience, having viewed the second collision on the small television in my New Zealand kitchen, which was tuned to the local news station.


87

Islamic terrorism against the West.247 The elevation of Islamic terrorism from second order risk to

first order threat was supported by the various declarations from news media organisations such

as Le Monde (Nous sommes tous américains),248 through to state officials - former President George

Bush, for example, in a number of speeches following the September attacks;249 Prime Minister

Blair of the United Kingdom (UK);250 President Chirac of France;251 and Prime Minister Howard

of Australia, among others).252 Or, to take a more radical view, it could be argued that Islamic

terrorism had been a second order risk for over a decade prior to the Twin Tower attack, and that

9/11 was the culminating act of the elevation process, ending in a fully securitised and legitimated

existential threat against the US, and Western allies as a matter of course. Regardless of how this

particular instance is interpreted, the point of this section is to underline that the speech act can

no longer be defined as an explicitly verbal discursive act if securitisation is to continue being an

applicable political theory. So, from the elevation perspective, the “speech act” should in fact be

termed “the discursive legitimation” in order to include all relevant examples of a discursively

legitimating act and will be so named hereafter.

The Referent Object

When talking about security in terms of elevation, the referent object in question does not undergo

any change. Regardless of whether you are analysing through a traditional securitisation lens or the

elevation lens offered in this thesis, the object deemed to be at risk is not affected. The nature of

247 Matea Gold, Maggie Farley, and Print, “World Trade Center and Pentagon Attacked on Sept. 11, 2001,” Los Angeles Times, September 12, 2001, https://www.latimes.com/travel/la-xpm-2001-sep-12-na-sept-11-attack-201105-01-story.html. See also Figure 4 - Photo: Robert Clark, Associated Press, 2001 248 Jean-marie Colombani, “Nous sommes tous Américains,” Le Monde.fr, September 13, 2001, https://www.lemonde.fr/idees/article/2011/09/09/nous-sommes-tous-americains_1569503_3232.html. 249 George W. Bush, “President Bush Addresses the Nation,” Washington post, September 20, 2001, https://www.washingtonpost.com/wp-srv/nation/specials/attacked/transcripts/bushaddress_092001.html. 250 Tony Blair, “Full Text of Tony Blair’s Speech to Parliament,” The Guardian, October 4, 2001, http://www.theguardian.com/world/2001/oct/04/september11.usa3. 251 Jacques Chirac, “Allocution de M. Jacques Chirac, Président de la République, sur les attentats terroristes à New York et à Washington, la solidarité de la France avec les Etats-Unis et la coopération de la France dans la lutte contre le terrorisme, Washington, le 19 septembre 2001.,” elysee.fr, September 19, 2001, https://www.elysee.fr/jacques-chirac/2001/09/19/allocution-de-m-jacques-chirac-president-de-la-republique-sur-les-attentats-terroristes-a-new-york-et-a-washington-la-solidarite-de-la-france-avec-les-etats-unis-et-la-cooperation-de-la-france-dans-la-lutte-contre-le-terrorisme-washington-le-19-sep; Jacques Chirac, “Lettre de M. Jacques Chirac, Président de la République, adressée à M. George Walker Bush , Président des Etats-Unis d’Amérique, à la suite des attentats ayant frappé les villes de New York et Washington, Paris le 11 septembre 2001.,” elysee.fr, September 11, 2001, https://www.elysee.fr/jacques-chirac/2001/09/11/lettre-de-m-jacques-chirac-president-de-la-republique-adressee-a-m-george-walker-bush-president-des-etats-unis-damerique-a-la-suite-des-attentats-ayant-frappe-les-villes-de-new-york-et-washington-paris-le-11-septembre-2001. 252 John Howard, “Application of the ANZUS Treaty to Terrorist Attacks on the United States,” Prime Minister of Australia | John Howard, September 14, 2001, https://web.archive.org/web/20051022123644/http://www.pm.gov.au/news/media_releases/2001/media_release1241.htm; see also The Guardian Staff, “World Leaders Express Outrage,” The Guardian, September 11, 2001, http://www.theguardian.com/world/2001/sep/11/september11.usa10.


88

the perceived threat (second order risk or first order threat) will affect where on the elevation

spectrum the referent object is placed and what measures are allowable to secure it, but the object

is the same. The referent object, at all times, is that which requires protection.

The Existential Threat

Elevation theory differentiates between stages and processes. There is the stage at which a concern

is gauged to be either third order political concern, second order risk, or first order threat. There

are inherent processes; riskification elevates third order political concerns to second order risks,

and securitisation elevates second order risks to first order threats. Existential threats of the kind

examined by securitisation theories must first have been acknowledged as risks and then elevated

to threats, and so are only perceivable or examinable during the securitisation process or when

they are deemed to be a first order security threat. A threat cannot be existential until that point,

because by definition it must pose a risk of threatening the existence of the state in order to be

securitised in the first place. Whereas in traditional securitisation frameworks, the perception of

existential threat constitutes the beginning of the securitisation process, in the elevation

framework, an existential threat can only exist at the third and final stage of the threat elevation

pyramid, and an issue must undergo two (hierarchical) elevation processes before extraordinary

measures of threat mitigation can be considered or requested.

Extreme Necessity

Like the referent object, the variable of extreme necessity is both self-explanatory and does not

require any changes between the securitisation and elevation frameworks. In order for the

securitising process to be successfully realised, there must be an environment of extreme necessity

for extraordinary powers of threat mitigation to be allowable. A sudden change to the level of

potential risk or one in the balance of power in the international system, such that the security

environment itself requires that a state employ more than the ordinary allowable security measures,

would be enough to start elevating a second order risk to a first order threat. Without satisfying

the requirement of extreme necessity, a risk cannot be elevated to a threat and so must (continue

to) undergo risk management rather than threat mitigation. By that same token, if a securitisation

has been instigated or successfully completed, and the security environment becomes less

threatening, then the loss of the element of extreme necessity would see a first order threat start

the desecuritising process back down to second order risk, and thence through deriskifying back to

the third order political concern. Desecuritisation and deriskification are attenuation processes as

defined by the threat elevation analysis framework, attenuation being the ultimate goal of


89

management and mitigation measures — see Figure 5 - Securitisation and the orders of concern.

As such, the element of extreme necessity is of crucial importance to the elevation framework, and

must always be at the forefront of considerations when analysing the stage or process of an

elevation.

Extraordinary Measures

In an elevation process (and, indeed, a securitising process), extraordinary measures are the end

result toward which the entire process leads. The extraordinary measures are the desired end of a

securitisation; the granting of beyond-ordinary powers and means in order to defend against or

mitigate a perceived existential threat. One example of extraordinary measures employed after a

successful securitisation would be the passing of the Patriot Act in the US, which granted the

American government and military above-ordinary powers in order to combat terrorism and

terrorist suspects domestically and abroad.253 The granting of extraordinary measures is much the

same in both traditional securitisation and the elevation framework offered in this thesis, the

exception being that for a traditional securitisation the entire process leads toward the

extraordinary measures. By contrast, in elevation theory, the extraordinary measures can only be

sought in the final third stage of the elevation process, when an identified second-order risk is being

actively elevated to a first-order threat, or has been successfully securitised. There is a narrower

window of opportunity for extraordinary measures of threat mitigation to be sought or utilised in

the elevation framework considering that riskification must occur first, and by definition will not

require extraordinary measures to mitigate; risk management will suffice unless the danger

associated with that risk increases. Risk management measures and processes will continue until

either the risk is attenuated (it abates as a result of the management measures, or by virtue of the

risk actor losing power or credibility of danger), or a further elevating act is undertaken. While risk

management may take many forms, at the state level and in relation to perceived national security

risks, I posit that an action like the creation of a branch or agency specific to the identified risk

would be a likely management tool. Alternately, the addition of task-specific mandates to an

existing agency or branch would not be unlikely, and, as such, actions are designed for long-term

management of specific areas and issues.

The Elevating Actor

Like the elements of referent object and the existential threat, the securitising actor performs the

same function in both securitisation theory and the elevation framework. Elevations can be

253 United States Department of Justice, “The USA PATRIOT Act: Preserving Life and Liberty.”


90

undertaken at any level of analysis, from individual to group/community, corporate, state, regional,

international and global. The elevating actor will depend entirely upon the context of the

acknowledged risk or perceived threat in question. Unlike traditional securitisation theory, I would

go so far as to argue that entities, in addition to single actors (even as representatives of a state)

are now capable of performing the function of an elevating actor. It could be argued that the mass

media play a role in elevation processes, given that they collect and transmit much of the day-to-

day knowledge of non-security specialists about the actual state of world, regional, or domestic

security, in or about any given area. When searching for evidence of a claimed security threat, or

information about a perceived risk, it is possible to look to news sources such as CNN; ABC; Al

Jazeera; the Washington Post; Le Monde; and many other traditionally respected journalistic

sources. With that sphere of influence, and a higher ability to both generate and report on news

than almost any other global influencing actor, the broadcast media particularly are well placed to

play the part of the elevating actor, especially when doing so in conjunction with still images or

video footage with which to support an elevating move. This is a discursive legitimating act if the

news source performing it is reputable and with a wide enough influence (if members of the

political or military elite are liable to be influenced by that source), then the elevation process may

be started by that news source.

Legitimate Authority

As with traditional securitisation theory, the idea and element of legitimate authority is connected

with the elevating actor. If any actor tried to initiate a riskification or securitisation, there would

be no chance of success without the reasonable belief of the audience that the securitising actor

has the legitimate authority to do so. The context of the situation in question will also affect the

authority of the securitising actor, and this must be factored into the securitising calculations. As

discussed in the previous section, however, elevating actors are no longer necessarily confined to

the political or military elite of a state. Large corporations such as Apple and Google, as well as

news media organisations, are also capable of instigating a riskification or securitisation.

The question remains whether or not actors within or representing these organisations then have

the legitimate authority to validate an elevating move. There is no easy answer to this question. If

the elevating move is performed in such a way that the threat is made clear and the consequences

evident, and the threat and consequences will apply to the existence of the state (in its current

form), and those actors are perceived by the audience as being legitimate authorities, then I would argue that

the elevating move is valid. Authority, when not attached to a specific role in a hierarchy, is an


91

intangible notion, and depends largely upon situational context and audience perceptions, which

could result in gradations of authority. If, then, the relevant audience to an elevating move

perceived the securitising actor as having the authority to provide information on and riskify or

securitise a threat, then the actor has the legitimate authority to do so.

There is of course an argument against this point of view: if we expand the concept of legitimate

authority further than specific positions within the hierarchy of government and military, then we

threaten to dilute the concept, and the framework it operates within, to the extent that it will be

rendered analytically useless. However, elevation theory has been specifically formulated to deal

with the way threats are understood and responded to in the contemporary digital age: to forsake

the elevating capability of actors with immense influence in the digitalised society of today would

be to hobble the framework. If it cannot apply to all actors capable of elevating an issue today, then

it will not apply to all securitising, securitised, and securitisable threats currently in existence. And

that theory would, in fact, be analytically useless.

There are limitations to the concept of the securitising actor as conceived by elevation theory,

however. I maintain that the context of a situation will affect the legitimate authority of the

securitising actor: an individual with no relevant expertise or influence on the government or

military of the state is unlikely to find themselves in the position of securitising actor. Even if they

did acquire the attention of the relevant audience, it would be highly improbable that they would

consider the individual a legitimate authority in order for an elevating process to begin.

Relevant Audience

The relevant audience is an element that changes not at all between traditional securitisation theory

and the new elevation framework offered here. The relevant audience is the group of individuals

before whom the securitising act must be performed, and by whom the discursive legitimation of

threat must be accepted for an acknowledged security risk to move through the securitising process

before being acknowledged as an existential threat. The relevant audience does not necessarily

mean the general public, as may be considered in the case of a modern democracy. The relevant

audience could be restricted to the highest-ranked military officers and government officials in a

given administration, before whom an actor could begin the securitising process. The same rules

would apply to an elevation in either case: the (would-be) securitising actor must be accepted as

having the legitimate authority to speak security; they must convince the audience of the extreme

necessity of mitigating a security threat, which they must also convince the audience through


92

discursive legitimation is an existential threat against the state (or, perhaps, its interests around the

globe). Having performed the securitising act, the relevant audience must then decide if consent

will be given for the securitising actor to set in motion extraordinary measures of threat mitigation,

to accord to the perceived threat acknowledgement of its existential nature and imminent danger.

If the securitisation will ultimately prove unsuccessful, and be desecuritised once again to a second

order risk, it must then be controlled through risk management techniques; without recourse to

emergency measures. In plain terms, it is the relevant audience that decides in the end whether an

elevation will be successful and the threat securitised. It is also the relevant audience that decides

whether support for extraordinary measures will be sustained past the initial moves toward

mitigating the security threat, and so whether the relevant audience is one person, an entire

populace or section thereof, it is arguably the second most important element in the entire

elevation framework (the first being the threat itself). Just as the audience must be considered in

any elevating process, however, in the cyber era, the audience is also a crucial variable in risk and

threat calculations. The audience, or the democratic public, are now potential targets for hostile

disinformation operations, and are thus themselves both a vulnerability and a threat vector. Cyber-

enabled communications technologies and social media platforms such as Twitter broaden the

audience to a potentially global size – messages can either be broadly transmitted and signal-

boosted with computational propaganda tools, or narrow-casted to specific audiences, such as with

Facebook groups.

Elevation and Sectors in Cyberspace

As in traditional securitisation theory, elevation theory can be applied across the full spectrum of

security sectors in which cyberspace plays a role. It is perhaps even more applicable than CST,

given that there are few, if any, areas of security in which cyberspace is not either a functional or

critical part. One of the original goals of securitisation theory was to introduce a framework which

would broaden the analysis of security beyond the concept of military security to which traditional

security and strategic studies holds.254 Evidently, securitisation considers a broad range of problems

in a number of areas. Elevation theory, viewing securitisation as part of a process of elevation

rather than threat construction, is ideally suited to consider both sectors and problems of security

where cyberspace is concerned. The following sections are a brief analysis of the way in which

elevation theory can be applied to each of the sectors identified by the original securitisation

framework: the military sector; the environmental sector; the economic sector; the

community/society sector; and the political sector.

254 Buzan, Waever, and de Wilde, Security: A New Framework for Analysis, 1–5.


93

Military

As the traditional focus of security studies, there is an enormous body of existing literature on the

importance of military security; how to utilise military force; and how to defend against the same.

Securitisation theory in all forms is about broadening the analytical field of security beyond military

concerns. As with many other sectors of life, both public and private, cyberspace has become

increasingly crucial to the effective organisation, maintenance, and deployment of military forces

worldwide. Not only is cyberspace the primary mode of communications for militaries and

administrations world-wide, there are also entire defence industries constructed around the

requirements of using, exploiting and defending interests in cyberspace. It should be noted that

both cyber-based and cyber-aided tools and equipment are utilised by the military sector. Uniquely,

cyberspace is both a tool used to defend a state’s interests, and one of the state’s interests that

requires protection.

One of the most notable early examples of cyber-aided military operations occurred with the 1990

US-led invasion of Iraq, intended to expel the army of Saddam Hussein out of Kuwait.255 This

Operation Desert Storm was a success, and the unbelievable coordination and firepower displayed

by the US’ military left much of the world reeling in shock. In large part, the astonishing success

of Desert Storm was due to the unprecedented uptake by the American military of advanced

communications and targeting technologies made possible by the increasing use of cyberspace.256

This is an example of networked warfare, and Desert Storm in many ways changed the security

landscape in terms of traditional military concerns. It proved the advantages of advanced

communications technologies in an undeniable fashion. A decade later, the US military again

employed (ever more) advanced technologies during the 2003 American-led invasion of Iraq

following the terrorist attack on the World Trade Centre in September 2001.257 The technology of

the new millennium, in the sense of military security, was dual purpose: in addition to increasing

255 Oriana Pawlyk and Phillip Swarts, “25 Years Later: What We Learned from Desert Storm,” Air Force Times, August 7, 2017, https://www.airforcetimes.com/news/your-air-force/2016/01/21/25-years-later-what-we-learned-from-desert-storm/. 256 Franz-Stefan Gady, “What the Gulf War Teaches About the Future of War,” The Diplomat, March 2, 2018, https://thediplomat.com/2018/03/what-the-gulf-war-teaches-about-the-future-of-war/; Kris Osborn, “Shock and Awe: How the First Gulf War Shook the World,” Text, The National Interest (The Center for the National Interest, October 31, 2020), https://nationalinterest.org/blog/reboot/shock-and-awe-how-first-gulf-war-shook-world-171659; Pawlyk and Swarts, “25 Years Later.” 257 John H. Cushman Jr and Thom Shanker, “A Nation at War: Combat Technology - A War Like No Other Uses New 21st-Century Methods To Disable Enemy Forces,” The New York Times, April 10, 2003, sec. U.S., https://www.nytimes.com/2003/04/10/us/nation-war-combat-technology-war-like-no-other-uses-new-21st-century-methods.html; id Talbot, “How Technology Failed in Iraq,” MIT Technology Review, November 1, 2004, https://www.technologyreview.com/2004/11/01/232152/how-technology-failed-in-iraq/.


94

the accuracy and efficiency of traditional-type weapons (explosives and so forth), cyberspace and

cyber-based or -aided technologies could be, and were, utilised to collect intelligence and both

deceive and entrap suspected terrorists on the ground.258 In the space of a decade, the military uses

of cyberspace were ably proven. During that decade, and in the years following, both the

importance and the vulnerability of cyberspace became more evident as military technologies and

administrations became dependent on a structurally insecure technology.259

Elevation is not always an obvious procedure, and, in fact, may not often occur in the public eye,

for all the requirements of an existential threat. Indeed, it could be argued that the security of the

state would decrease significantly were every major threat to the modern state publicised. Given

that the requirement of a relevant audience can be fulfilled by relevant political and/or military

elites, it is by no means necessary for there to be a widespread awareness of current security threats,

or of the elevation process those threats undergo before truly becoming securitised.

In the case of cyberspace, its elevation appears to have proceeded on par with its publicised (and

feted) utility to the public. I think it fair to say, however, that specific security vulnerabilities have

not precisely been made available for public consumption, either. In part, that may have been due

to the fact that for many years, it was difficult for cyberspace engineers and scientists to convince

military and/or political elites of the dangers that cyberspace introduced into the national and

international security environments.260 At times, this may have been due to the alternate, and

overwhelming traditional security concerns, such as ground wars in Korea and Vietnam, and the

worsening Cold War between Western bloc allies and the Soviet Union (USSR). In a time when

nuclear conflict was a very real concern, interest in any cyberspace-based or -carried attack would

have been difficult to generate.

With the progression of technology, however, and the increasingly networked nature of

government, military, and civilian hierarchies and bureaucracies, cyberspace took on a greater

character of volatility and threat as other, more physical threats either faded, were neutralised, or,

through deterrence, were normalised. With these issues having been, in various ways,

258 Mark Mazzetti, The Way of the Knife: The CIA, A Secret Army, and a War at the Ends of the Earth (New York: Penguin RandomHouse, 2014), https://www.penguinrandomhouse.com/books/311164/the-way-of-the-knife-by-mark-mazzetti/. 259 Defense Advanced Research Projects Agency, “Paving the Way to the Modern Internet,” DARPA | Defense Advanced Research Projects Agency, 2021, https://www.darpa.mil/about-us/timeline/modern-internet; Kim Ann Zimmermann and Jesse Emspak, “Internet History Timeline: ARPANET to the World Wide Web,” Live Science, June 27, 2017, https://www.livescience.com/20727-internet-history.html. 260 See Mark Bowden, Worm: The First Digital World War (Atlantic Books Ltd, 2012).


95

desecuritised,261 the horizon was clear for military and political elites to start considering the

consequences of the (now-global) communications network, the foundations of which were never

designed with security as a primary concern.262

Once the vulnerabilities of cyberspace started to become clear to state decision-makers, several

tests were undertaken in order to gauge the potential threat of a cyber-borne or cyber-enabled

attack, usually with critical national infrastructure systems as the expected target. Perhaps the most

illustrative of these tests, or demonstrations, was the “attack” (in a simulated environment) against

an electrical generator that, in a matter of minutes, completely destroyed a perfectly functional

machine, to the enduring shock of the on-looking policymakers.263 Another illustrative episode

was the discovery of the Moonlight Maze network penetration of US defence systems, the extent

of which to this day has not been fully understood, and the perpetrators of which can only be

guessed at and suspected.264

The elevation of cyberspace was, and is, a process that has taken place across decades. There have

been a number of events which seem to have instigated, or supported, the elevation of cyberspace

from within the realms of first-order concerns, and to the realms of second- and third-order

threats. The vulnerability of cyberspace in the military sector has increased commensurate to the

military use and requirement of cyberspace. In part, the elevation process that cyberspace has

undergone has been in many instances supported by military actors, as the understanding of

cyberspace needs has improved among military decision-makers. Importantly for this chapter, this

process of elevation occurred over a period of decades, and did not have the immediacy typically

associated with securitisation.

261 Desecuritisation of the threat is the ideal situation. Desecuritisation is essentially the securitisation process in reverse, whereby a threat is de-escalated through strategic and political processes until it once more becomes a matter for normal politics. This is part of a larger process of attenuation, captured in Figure 5 - Securitisation and the orders of concern. 262 Defense Advanced Research Projects Agency, “Paving the Way to the Modern Internet”; Ronald J. Deibert, “Black Code Redux: Censorship, Surveillance, and the Militarization of Cyberspace,” in Digital Media and Democracy: Tactics in Hard Times, ed. Megan Boler (London: The MIT Press, 2008), 137–64; Zimmermann and Emspak, “Internet History Timeline: ARPANET to the World Wide Web.” 263 Andy Greenberg, “How 30 Lines of Code Blew Up a 27-Ton Generator,” Wired, October 23, 2020, https://www.wired.com/story/how-30-lines-of-code-blew-up-27-ton-generator/. 264 Juan Andres Guerrero-Saade et al., “Penquin’s Moonlit Maze: The Dawn of Nation-State Digital Espionage” (Kaspersky Lab, 2018), https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180251/Penquins_Moonlit_Maze_PDF_eng.pdf; Charlie Osborne, “Ancient Moonlight Maze Backdoor Remerges as Modern APT,” ZDNet, April 3, 2017, https://www.zdnet.com/article/ancient-moonlight-maze-backdoor-remerges-as-modern-apt/; Nikolay Pankov, “Moonlight Maze: Lessons from History,” Kaspersky Daily, April 3, 2017, https://www.kaspersky.com.au/blog/moonlight-maze-the-lessons/6713/.


96

Environment

At first glance, you may not suspect that the environmental sector has played a large part in the

elevation of cyberspace from a political issue to a security risk, and eventually a security threat.

However, in an increasingly globalised and interdependent world, cyberspace has been integrated

into all sectors. The most evident, and crucial to every area of life both private and public, is the

global communications network upon which every actor relies. In addition, the advanced

technologies utilised to study the environment and the risks and threats to environmental security

such as global warming and the consequent rising sea levels depend upon advanced networked

technologies. Any recourse to satellite technologies is also dependent on the continued efficient

functioning of cyberspace and cyber-aided or enabled technologies, so any debilitating attack on

the global communications infrastructure will have carry-on effects in the environmental sector.

Beyond the technologies that assist in the examination and analysis of the environmental sector,

the technologies themselves also have a physical presence within that sector. While cyberspace

seems to exist both everywhere and nowhere, the infrastructure upon which cyberspace is built is

physical. Cyberspace infrastructure is subject to degradation or attack, just as with all other (critical)

infrastructures. The cables on the sea floor along which global communications travel are crucial

to the continued operation of not just the Internet, but also to the control and function of similar

pipes, both under sea and over land, that deliver electricity and oil to those states without native

supplies of their own.265 Should these forms of infrastructure suffer attack or physical degradation,

there will be flow-on effects not just in the environmental sector, but in other security sectors as

well.

Economy

After the military sector, the economic sector is one of the most closely integrated with and

dependent on cyberspace for basic functioning. Enormous quantities of money exist solely in

cyberspace; they have no physical representation, and, as such, should anything happen to the data

stored in cyberspace, the global financial system would be unable to continue functioning

efficiently. In the worst case, and if enough data were lost, it may not be able to continue

functioning at all. Corporations that handle a large volume of financial transactions such as states,

265 NATO CCDCOE, “Strategic Importance of, and Dependence on, Undersea Cables” (Tallinn: NATO Cooperative Cyber Defence Centre of Excellence, 219AD); Nadia Schadlow and Brayden Helwig, “Protecting Undersea Cables Must Be Made a National Security Priority,” Defense News, July 1, 2020, https://www.defensenews.com/opinion/commentary/2020/07/01/protecting-undersea-cables-must-be-made-a-national-security-priority/.


97

banks, and multinational corporations have an explicit interest in the security of cyberspace; their

continued existence depends on the perceived security of making transactions with that particular

actor. Trust certificates, for example, increase the confidence of a user in relation to a particular

online presence.266 Other dangers also exist for financial institutions in cyberspace: for example,

credit card fraud has dogged banking institutions since credit card information could be used

online. Cyber-attacks of sufficient complexity and sophistication are capable of exfiltrating

extraordinary quantities of money, often for a significant period of time before discovery if the

quantities in question are taken piecemeal from a number of accounts.267

Beyond the civilian and business concerns in cyberspace, the state itself and associated agencies

and militaries are dependent on the continued confidence in the economic sector, both nationally

and globally. States require an enormous amount of money simply to keep themselves running,

and both military services and civilian agencies depend on that funding for their continued

functioning and existence. In addition, most (if not all) states have overseas interests, investments,

and debts, which depend on both the continued functioning of, and the global confidence in, the

global economy. All of this now further depends on cyberspace, the infrastructure for which was

not originally designed with security as the first (and certainly not overriding) concern.268

Given these considerations, it is unsurprising that cyberspace concerns have been elevated to

significant risks by most actors in the current international economic system. In recent years, there

have been a multitude of cyber-attacks against banks and financial institutions, many of which

have also had stolen confidential information on the clients of those institutions as well as, or

instead of, simple monetary theft.269 That information can be very valuable on the dark web,270

266 Though trust certificates can also be ‘spoofed’, as seen with the case of DigiNotar, wherein a certificate provider was hacked and false trust certificates issued. That provider was subsequently bankrupted following the loss of confidence in their service. Tom Espiner, “Hack Attack Forces DigiNotar Bankruptcy,” ZDNet, September 20, 2011, https://www.zdnet.com/article/hack-attack-forces-diginotar-bankruptcy/. 267 Tom Bergin and Nathan Layne, “Special Report: Cyber Thieves Exploit Banks’ Faith in SWIFT Transfer Network,” Reuters, May 20, 2016, https://www.reuters.com/article/us-cyber-heist-swift-specialreport-idUSKCN0YB0DD. 268 Craig Timberg, “The Real Story of How the Internet Became so Vulnerable,” Washington Post (blog), 2015, http://www.washingtonpost.com/sf/business/2015/05/30/net-of-insecurity-part-1/; Zimmermann and Emspak, “Internet History Timeline: ARPANET to the World Wide Web.” 269 Fruhlinger, “Equifax Data Breach FAQ”; Haskell-Dowland, “Facebook Data Breach”; Ragan, “Raising Awareness Quickly”; Reuters Staff, “JPMorgan Hack Exposed Data of 83 Million, among Biggest Breaches in History”; Rushe, “JP Morgan Chase Reveals Massive Data Breach Affecting 76m Households”; Zetter, “Four Indicted in Massive JP Morgan Chase Hack.” 270 According to Kaspersky, the dark web is “the hidden collective of internet sites only accessible by a specialized web browser. It is used for keeping internet activity anonymous and private, which can be helpful in both legal and illegal applications. While some use it to evade government censorship, it has also been known to be utilized for highly illegal activity.” Kaspersky, “What Is the Deep and Dark Web?,” www.kaspersky.com, January 13, 2021,


98

where such information can be sold and used in instances of credit and identity fraud. While it is

uncertain whether or not cyberspace has been securitised in the economic sector, I would argue

that it has been successfully riskified, and is intermittently being engaged in the securitising process.

Thus, we are witnessing the gradual elevation of the economic sector by reference to its reliance

on cyberspace.

Societal

Originally conceived, securitisation theory perceives several main dangers to the

community/identity sector of security: migration, horizontal competition and vertical

competition.271 Whereas cyberspace may not seem like an immediate concern to such issues as

migration and cultural identity, in fact, cyber-enabled technologies now play a substantial part in

the recording and examination of large migration patterns, including the registration and

transportation of refugees, both within and away from conflict zones. In her 2017 publication The

Politics of Humanitarian Technology, Katja Lindskov Jacobson examines the use of advanced

technologies on actors such as refugees, stateless individuals and internally displaced persons

(IDPs).272 Cyber infrastructure and cyber-enabled technologies, in addition to aiding in the

registration and tracking of these individuals, are also used to record medical data, biometric

identifiers, and whether or not these individuals have been in receipt of food, goods or services

provided by the United Nations, Red Cross, or other third-party aid organisations.273 While in this

sector, cyberspace does not have the level of existential threat that would (at this point in time)

necessitate a securitising process, such use of technologies could give rise to the abuse of the

information they take from disadvantaged peoples. In addition, if that data were to become

corrupted, as Lindskov Jacobson points out, the individuals that this data pertains to might suffer

for it.274 Beyond additional suffering to these actors, there is also the possibility of this data being

stolen or exploited by unknown actors, with heretofore unknown motivations or intent. As such,

while cyberspace may not at this stage pose an active threat to the community sector, there are

associated risks to an insecure or vulnerable cyberspace, real or perceived.

https://www.kaspersky.com/resource-center/threats/deep-web. The ACSC expands this definition slightly by asserting that the dark web is “made up of sites that are not indexed by search engines…” Australian Cyber Security Centre, “Dark Web,” Australian Cyber Security Centre, 2021, https://www.cyber.gov.au/acsc/view-all-content/glossary/dark-web; See also Darren Guccione, “What Is the Dark Web? How to Access It and What You’ll Find,” CSO Online, November 18, 2020, https://www.csoonline.com/article/3249765/what-is-the-dark-web-how-to-access-it-and-what-youll-find.html. 271 See chapter two section on Copenhagen securitisation theory pertaining to the societal sector of security 272 Katja Lindskov Jacobsen, The Politics of Humanitarian Technology: Good Intentions, Unintended Consequences and Insecurity (Routledge, 2015). 273 Jacobsen. 274 Jacobsen.


99

There is also a risk to cultural history, should cyber infrastructure fail in some way. Cultures in

danger of dying out, and indeed cultures that have died out and we know only from historical or

archaeological artefacts, would be in danger of total destruction if the cloud in which we now store

so much data were to be corrupted of damaged.275 While in the case of cultural historical

documents and artefacts it is likely that there will be backups of any records made, there is no

guarantee that those backups will not also be corrupted. It is also the case that, if a document is

copied, and a copy made of the copy and so forth, then eventually the quality of the copies’ copies

will degrade such that the value may ultimately be lost. We have already seen the proven value of

storage records of documents and artefacts including three dimensional scans in cyberspace:276

since the birth and aggressive growth of the terrorist group ISIS in Iraq and Syria, there has been

a documented loss of enormously valuable relics that have been utterly destroyed by ISIS

radicals.277 There remain only crumbling vestiges and rubble where buildings and monuments had

previously endured for millennia; now, the only full record we have of these are digital. If the

digital data is corrupted, so are those relics. So, while the instability or insecurity of cyberspace may

not seem debilitating to community and identity security in the first instance, as in all other areas

of security cyberspace has been riskified, albeit in less spectacular a manner that in other security

sectors, but arguably equally as important in a societal and collective memory sense. By elevating

the risks or threats to these cultural artefacts, governments could direct resources more efficiently

in order to preserve cultural heritage which in many cases amounts to cultural and identity security.

While the national security of the state may not be explicitly impacted by cultural insecurity, the

perceived insecurity of its populations (which, in the case of tribal and ethnic minorities, can be

considered sub-state nations) could result in political instability.

275 ‘The cloud’ refers to “software and services that run on the Internet, instead of locally on your computer.” Bonnie Cha, “Too Embarrassed to Ask: What Is ‘The Cloud’ and How Does It Work?,” Vox, April 30, 2015, https://www.vox.com/2015/4/30/11562024/too-embarrassed-to-ask-what-is-the-cloud-and-how-does-it-work; Cloudflare, “What Is the Cloud? | Cloud Definition,” Cloudflare, accessed June 19, 2021, https://www.cloudflare.com/learning/cloud/what-is-the-cloud/. 276 Sarah Griffiths, “Artefacts Destroyed by ISIS Restored in 3D Models by ‘Cyber Archaeology,’” Daily Mail, May 20, 2015, https://www.dailymail.co.uk/sciencetech/article-3087731/Cyber-archaeology-rebuilds-lost-treasures-Public-project-uses-photos-create-3D-models-artefacts-destroyed-ISIS.html; NPR Staff, “Cyber Archaeologists Rebuild Destroyed Artifacts,” NPR.org, June 1, 2015, https://www.npr.org/sections/alltechconsidered/2015/06/01/411138497/cyber-archaeologists-rebuild-destroyed-artifacts. 277 Emma Cunliffe and Luigi Curini, “ISIS and Heritage Destruction: A Sentiment Analysis,” Antiquity 92, no. 364 (August 2018): 1094–1111, https://doi.org/10.15184/aqy.2018.134; Andrew Curry, “Here Are the Ancient Sites ISIS Has Damaged and Destroyed,” National Geographic, September 1, 2015, https://www.nationalgeographic.com/history/article/150901-isis-destruction-looting-ancient-sites-iraq-syria-archaeology; Christopher W. Jones, “Understanding ISIS’s Destruction of Antiquities as a Rejection of Nationalism,” Journal of Eastern Mediterranean Archaeology & Heritage Studies 6, no. 1–2 (2018): 31–58, https://doi.org/10.5325/jeasmedarcherstu.6.1-2.0031.


100

Political

The political sector is tightly intertwined with the military one and, increasingly, the economic

sector of security. Cyber security and all connected issues and concerns are a significant challenge

for politicians at all levels, and while there are other security concerns as well, it is likely that

cyberspace will continue to be a point of contention and a rallying point for many years to come.

In the contemporary age, politicians (or their media and public relations teams) must have a

familiarity with cyberspace and, of course, social media. However, in terms of infrastructure,

cyberspace is a high political priority; when critical national infrastructure of any kind is dependent

upon the continued reliability and efficiency of cyberspace and cyber-enabled technologies,

political actors are expected to be familiar with both the benefits and the vulnerabilities of those

technologies. In addition, it is political actors who are often the first in line for questioning when

infrastructure of any kind suffers malfunction, from design to hostile attack; it is therefore in the

best interest of those actors that cyberspace is, or is at least perceived by the public to be, as secure

as possible.

Beyond the concern of current political actors to be familiar with the benefits and vulnerabilities

of major infrastructural technologies, the political sector today is also largely dependent on

cyberspace for administration. Elections in particular depend in large part on cyber-enabled

technologies in states where voting is digitally enabled; the recent scandal dogging the election of

Donald Trump as the 45th President of the US and the involvement of the Russian Federation in

recent American elections is proof enough that cyber insecurity is a real, enduring, permanent, and

contemporary concern.278 Moreover, the way that social media etc., was used to undermine

confidence in the outcome of the 2020 US Presidential election shows the ways that cyber-

278 Brian Barrett, “DNC Lawsuit Against Russia Reveals New Details About 2016 Hack,” Wired, April 20, 2018, https://www.wired.com/story/dnc-lawsuit-reveals-key-details-2016-hack/; Heather A. Conley and Jean-Baptiste Jeangene Vilmer, “Successfully Countering Russian Electoral Interference,” Center for Strategic & International Studies, June 21, 2018, https://www.csis.org/analysis/successfully-countering-russian-electoral-interference; Josh Gerstein, “U.S. Brings First Charge for Meddling in 2018 Midterm Elections,” POLITICO, October 19, 2018, https://politi.co/2Ajbubq; Adam Goldman, “Justice Dept. Accuses Russians of Interfering in Midterm Elections,” The New York Times, October 19, 2018, sec. U.S., https://www.nytimes.com/2018/10/19/us/politics/russia-interference-midterm-elections.html; Andy Greenberg, “Hack Brief: As FBI Warns Election Sites Got Hacked, All Eyes Are on Russia,” Wired, August 29, 2016, https://www.wired.com/2016/08/hack-brief-fbi-warns-election-sites-got-hacked-eyes-russia/; Jonathan Masters, “Russia, Trump, and the 2016 U.S. Election,” Council on Foreign Relations, February 26, 2018, https://www.cfr.org/backgrounder/russia-trump-and-2016-us-election; Office of the Director of National Intelligence, “Assessing Russian Activities and Intentions in Recent US Elections”; Senate Select Committee on Intelligence, “Report of the Select Committee on Intelligence United States Senate on Russian Active Measures Campaigns and Interference in the 2016 U.S. Election Volume 2: Russia’s Use of Social Media With Additional Views,” Russian Active Measures Campaigns and Interfernece in the 2016 U.S. Elections (Washington, D.C.: United States Senate, 2019), https://www.intelligence.senate.gov/sites/default/files/documents/Report_Volume2.pdf.


101

technologies play increasingly important roles in political processes.279 Governments also use

cyberspace for bureaucratic administration and to serve functions such as population tracking,

logging and storage of medical records, domestic and international communications, and so on. In

order for any political actor to function in the modern age, cyberspace is a necessary element of

most actions and certainly a day-to-day requirement.

In the political sector, cyberspace in itself has been undergoing elevation for decades; it could be

argued that as soon as cyberspace spread beyond the initial US -based communications network

between academics at university campuses to a global phenomenon,280 political actors have been,

quietly at first perhaps, repositioning themselves in terms of how cyberspace is expected to be

received by the public in any given set of circumstances.

Event-based Threat Elevation

The threat elevation framework accepts events as the instigating acts of a riskifying or securitising

process. Event-based elevation could be considered the more rapid path to threat elevation, given

that the more widespread the coverage of an event, the more likely the relevant audience is to grant

consent to extraordinary measures; the more serious the consequences of the instigating event, the

more likely the relevant audience is to sustain their consent. Event-based elevation is a more

spectacularised (in the sense of mediatised, or more widely broadcasted and communicated) form

of elevation than the traditional performative speech act, and therefore has a greater emotional

influence. To reference the September 11 attacks once more, that was an example of event-based

elevation; there was widespread media coverage of the attack and the consequences thereof, and

there was an incredible emotional impact on victims and viewers, not only in the US, but

worldwide.281 In the sections below, I will examine several events that have influenced, and

continue to influence, the elevation of cyberspace out of the bounds of normal politics to second

order risk, and potentially first order threat.

Stuxnet

Stuxnet is an oft-cited example of the increasing impact of cyber-attacks. An incredibly complex

attack, it was also the first known cyber-attack to have a kinetic effect; to affect real-world, physical

279 Chapter six looks at these issues in more detail. 280 Vint Cerf, “A Brief History of the Internet & Related Networks,” Internet Society (blog), 2021, https://www.internetsociety.org/internet/history-internet/brief-history-internet-related-networks/; Defense Advanced Research Projects Agency, “Paving the Way to the Modern Internet”; Zimmermann and Emspak, “Internet History Timeline: ARPANET to the World Wide Web.” 281 Colombani, “Nous sommes tous Américains”; The Guardian Staff, “World Leaders Express Outrage.”


102

consequences. The target of Stuxnet was a particular type of command-and-control system

manufactured by Siemens,282 and used in the Iranian nuclear processing facility at Natanz.283

Stuxnet performed both deception and degradation functions; by adjusting the mechanisms of the

centrifuges, it degraded their components such that they required many replacement units. By

transmitting false normal function data to the technicians that controlled the centrifuges, Stuxnet

deceived the controllers and contributed to the loss of trust in both the technicians and the

technologies. While opinions vary, experts have estimated that the effects of the Stuxnet virus set

the Iranian nuclear program back by between several months and several years.284 Unfortunately

for its creators, the virus was released into the wild,285 eventually being discovered and analysed by

computer experts. It was decided that the virus, too complex to have been the creation of anything

but a state, was attributable to the US and Israel, both states with a keen interest in preventing the

potential weaponisation of the Iranian nuclear energy program.286

The use of a cyber-borne virus against a state which had observable effects in the physical world

was evidentiary proof of the threat potential of cyberspace, and while perhaps not an instigating

event, was certainly a supporting event in the elevation of cyberspace beyond the bounds of normal

politics. While (to my knowledge) there were no fatalities or injuries resulting from the Stuxnet

virus,287 its release and operation is a clear indication that states at least view cyberspace as a viable

domain for (militarised) conflict. While I would not argue that Stuxnet did not lead to a

securitisation of cyberspace, I would argue that it did contribute to the successful riskification of

cyberspace as a threat vector and security vulnerability. Stuxnet proved that cyber operations were

capable of affecting physical infrastructure in a demonstrably destructive way. However, the effects

were specific and, by design, limited. This is not an existential danger but did indicate that

282 Kim Zetter, “An Unprecedented Look at Stuxnet, the World’s First Digital Weapon,” Wired, November 3, 2014, https://web.archive.org/web/20151207190234/https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/. 283 Zetter. 284 Zetter. 285 A term used to describe when a virus distributes beyond its intended target and people are able to obtain the source code for analysis or manipulation and use. Australian Cyber Security Centre, “In the Wild,” Australian Signals Directorate | Australian Cyber Security Centre, 2021, https://www.cyber.gov.au/acsc/view-all-content/glossary/wild. 286 Nate Anderson, “Confirmed: US and Israel Created Stuxnet, Lost Control of It,” Ars Technica, June 1, 2012, https://arstechnica.com/tech-policy/2012/06/confirmed-us-israel-created-stuxnet-lost-control-of-it/; Ellen Nakashima and Joby Warrick, “Stuxnet Was Work of U.S. and Israeli Experts, Officials Say,” Washington Post, June 2, 2012, sec. National Security, https://www.washingtonpost.com/world/national-security/stuxnet-was-work-of-us-and-israeli-experts-officials-say/2012/06/01/gJQAlnEy6U_story.html; David E. Sanger, “Obama Order Sped Up Wave of Cyberattacks Against Iran,” The New York Times, June 1, 2012, sec. World, https://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html. 287 Though several engineers were fired from the facility after supervisors and managers lost confidence in their capabilities. Thomas Rid, Cyber War Will Not Take Place (London: Hurst, 2013), 32.


103

cyberspace and cyber operations would be able to affect the physical domain going forward. The

lack of existentially threatening danger to Iran posed by Stuxnet prevents a securitisation but it

also does serve to elevate the problem of cyberspace as a potential threat vector, prompting the

design and implementation of risk management measures and practices. It also serves to illustrate

the importance of both technical and psychological (human) aspects of CCI. There was a

psychological element to the malware, fooling the technicians and their supervisors into losing

trust in both the machinery and their own skills in operating it, thereby extending the period of

time before malware was suspected. The intelligence operation thus had an irrevocably human

element in its design and deployment. Efficient responses to the elevation of the threat of

cyberspace, then, require a recognition of the importance of the human factor in the practice of

CCI.

GhostNet

GhostNet is one of the more well-known cases of cyber-attack and exploitation in recent history.

Using a combination of elements, attackers that were suspected to be members of the PLA’s Unit

31968 infiltrated the computer systems of the Free Tibet Movement and of the Dalai Lama, the

holy leader of the Tibetan people.288 Cyber exploitation had become suspected by the offices of

the Dalai Lama after several incidents, including one wherein a state with whom the offices of the

Dalai Lama had been trying to organise an official visit were notified by the Chinese authorities

that it would be unwise to allow such a visit to occur.289 When experts were invited to examine the

computer systems of the offices of the Dalai Lama, they discovered a surveillance system in place

on many of the computers in the office which allowed remote control access, infiltration, and

exfiltration. After some investigation, the file containing the virus which infected the computers

was found; as it was called Gh0stRat, the network of compromised systems and the operation

itself came to be known as GhostNet.290

The cyber-spying network had, by the point of discovery, compromised more than twelve hundred

machines in over one hundred countries, many of which were in physical locations that would

288 The PLA is the People’s Liberation Army, or the PRC. Nigel Inkster, “China in Cyberspace,” Survival 52, no. 4 (September 2010): 55, https://doi.org/10.1080/00396338.2010.506820; Dimitar Kostadinov, “GhostNet - Part I,” InfoSec, 2013, https://resources.infosecinstitute.com/topic/ghostnet-part-i/. 289 Shishir Nagaraja and Ross Anderson, “The Snooping Dragon: Social-Malware Surveillance of the Tibetan Movement,” Technical Report (Cambridge: University of Cambridge, 2009), 5, https://web.archive.org/web/20130122081850/http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf. 290 Information Warfare Monitor, “Tracking GhostNet: Investigating a Cyber Espionage Network” (The Citizen lab & The SecDev Group, 2009), 5, https://citizenlab.ca/wp-content/uploads/2017/05/ghostnet.pdf.


104

offer the infiltrators both sensitive and classified material.291 Beyond the initial discovery of the

infiltrated systems of the offices of the Dalai Lama, compromised machines were identified in

embassies; media offices; foreign ministries; and other government offices around the world. The

command and control structures of the network were traced to mainland China, and further to

Beijing, though authorities fell short of officially accusing the Chinese government of cyber

espionage in this case.292 Further, the government in Beijing denied all knowledge and involvement

and no conclusive evidence was ever discovered to definitively attribute responsibility.293

The Gh0stRat Trojan was spread through emails, socially engineered for the target (a strategy

usually referred to as whaling)294 to create an environment of trust wherein the target felt

comfortable opening an email attachment that appeared as a legitimate communication.295

Depending on the documents and information exfiltrated from previous targets, the documents

in this sort of attack can actually be legitimate and intended for the target; the virus is simply piggy-

backed onto an already legitimate communication. Once the virus is installed, the machine

becomes part of the compromised network and can accept commands from, and send information

back to, the command and control server.296

In this particular instance, and in many similar others, there are multiple (rather than one single)

failures in counterintelligence. First, the security of the targeted networks is in some way deficient;

they have not identified the emails as carrying viruses or otherwise being less-than-legitimate traffic

and have essentially 'waved them through.' Second, there is also a human failure in

counterintelligence. While it is possible that there is no indication in the emails carrying the Trojan

that the contents may not be legitimate, in many cases there are indications that the provenance

of an email may be suspect. A slowdown of the computer; ‘glitches’ in the operating system, and

lack of following up on emails with the apparent sender are all potential identifiers of computer

exploitation. While the target of GhostNet was not a state actor, there are several reasons I have

included it here. First, it was highly likely a state that engaged in the attacks and exploitation for

291 Information Warfare Monitor, 48–49; Inkster, “China in Cyberspace”; Kostadinov, “GhostNet - Part I.” 292 Information Warfare Monitor, “Tracking GhostNet: Investigating a Cyber Espionage Network,” 5–6; Nagaraja and Anderson, “The Snooping Dragon: Social-Malware Surveillance of the Tibetan Movement,” 5–6. 293 BBC, “Cyber Attacks Blamed on China,” BBC News, January 31, 2013, sec. China, https://www.bbc.com/news/world-asia-china-21272613; Voice of America, “China Denies Any Role in ‘GhostNet’ Computer Hacking | Voice of America - English,” Voice of America, November 2, 2009, https://www.voanews.com/archive/china-denies-any-role-ghostnet-computer-hacking. 294 Kaspersky, “What Is a Whaling Attack?,” Kaspersky, 2021, https://www.kaspersky.com/resource-center/definitions/what-is-a-whaling-attack. 295 Information Warfare Monitor, “Tracking GhostNet: Investigating a Cyber Espionage Network”; Nagaraja and Anderson, “The Snooping Dragon: Social-Malware Surveillance of the Tibetan Movement.” 296 Information Warfare Monitor, “Tracking GhostNet: Investigating a Cyber Espionage Network,” 30–38.


105

the purposes of surveillance and intelligence collection: this was a demonstration of both intent

and capability which illuminated at least part of what the attacker intended to accomplish, and the

methods with which they were able to pursue their goal. Second, this thesis acknowledges the

importance of non-state actors in any assessment related to the function or exploitation of

cyberspace and in the use of CCI. Third, this thesis emphasises the importance of the human

element in both CCI and in cyberspace: the human element in this case was both important for

the success of the exploitation operation, and in terms of the specific individuals targeted. And

fourth, the Gh0stRat Trojan did not stay confined to a specific target: it was found in multiple

systems across a wide geographic region and did affect government systems, like that of the Indian

Ministry of Defense and Foreign Ministry.297 The initial targeting of an intelligence operation

against a non-state actor does not preclude the consequences affecting state actors.

Relative to the threat elevation of cyberspace, I would argue that GhostNet was a contributing

factor to riskification, if not securitisation. While in the early and mid-2000s, a greater

understanding of cyberspace as a threat vector had been achieved, it perhaps had not been

suspected (by the general population and authorities, though perhaps excluding intelligence

agencies and personnel) that computer exploitation could extend across as many countries as had

been found to be compromised by the Gh0stRat Trojan. In a different way than Stuxnet,

GhostNet elevated the risk potential of cyberspace by illustrating how widely malware could spread

and the effect that it could have, not only on systems and infrastructure, but the behaviour and

reality of individuals, once the consequences of the espionage operation became clearer. GhostNet

did not represent an existential threat to the governing administration of a state or quasi-state, nor

was there an immediate and pressing potential for danger. It did, however, serve to draw attention

to the necessity of CCI as a direct response to the espionage and surveillance operations of a

(probable) state actor. It also demonstrated once more that the technical and human elements of

CCI are irrevocably linked.

Flame

Discovered by researchers in 2012, Flame was an extremely complex and sophisticated malware.298

With twenty modules (not all installed immediately) that the controller can add/subtract as they

see fit, Flame has a multi-pronged intelligence gathering capability. It seems purpose-built solely

297 James P. Farwell and Rafal Rohozinski, “Stuxnet and the Future of Cyber War,” Survival 53, no. 1 (February 2011): 26, https://doi.org/10.1080/00396338.2011.555586. 298 Ravish Goyal et al., “Obfuscation of Stuxnet and Flame Malware,” Latest Trends in Applied Informatics and Computing, 2012, 5.


106

for espionage purposes; it has multiple functionalities that turn the compromised machine into a

spying device for whoever controls the virus. Flame is capable of activating the on-board camera

and microphone of an infected device; taking screenshots while the machine is in use; logging

strokes on the keyboard and thus acquiring access credentials; monitoring network traffic and

scraping data; recording Skype conversations by recognising when the on-board microphone is in

use; exfiltrating and infiltrating data and documents; and altering files without removing them from

the system.299 In addition, Flame is capable of extorting geolocation data from image stills, and

using Bluetooth wireless technology for data transfer and to both send and receive commands.300

Upon examination by researchers including experts at Kaspersky Labs, certain parallels were drawn

between the code for Flame and the code of Stuxnet, the previously-discovered malware thought

to be the collaboration of the US and Israel, and part of an overall program called Olympic

Games.301 However, some think that Flame was been developed circa 2008, and so would actually

predate Stuxnet; it has been suggested by some to be the forerunner and the platform from which

Stuxnet was kickstarted.302

While there were commonalities suggesting a shared heritage, however, Flame differed from

Stuxnet in several ways. First, Flame had an in-built ‘suicide’ module that was actually successful

in neutralising the virus on an infected machine and then completely wiping all traces of it from

existence. In addition to the built-in module, however, experts also traced a new command, sent

out following the discovery of Flame, which was essentially another ‘uninstall’ application that

performed the same function.303 Experts are only able to study Flame by means of having used

honeypot computers to capture the virus or examining computers known to have been infected

299 Benjamin Gottlieb, “Flame FAQ: All You Need to Know about the Virus,” Washington Post, June 20, 2012, https://web.archive.org/web/20170225103056/https://www.washingtonpost.com/blogs/blogpost/post/flame-faq-all-you-need-to-know-about-the-virus/2012/06/20/gJQAAlrTqV_blog.html; Goyal et al., “Obfuscation of Stuxnet and Flame Malware”; Kate Munro, “Deconstructing Flame: The Limitations of Traditional Defences,” Computer Fraud & Security 2012 (October 1, 2012): 8–11, https://doi.org/10.1016/S1361-3723(12)70102-1; Kim Zetter, “Meet ‘Flame,’ The Massive Spy Malware Infiltrating Iranian Computers,” Wired, May 28, 2012, https://web.archive.org/web/20141014203532/http://www.wired.com/2012/05/flame/all. 300 Gottlieb, “Flame FAQ: All You Need to Know about the Virus”; Goyal et al., “Obfuscation of Stuxnet and Flame Malware”; Munro, “Deconstructing Flame”; Zetter, “Meet ‘Flame,’ The Massive Spy Malware Infiltrating Iranian Computers.” 301 Olympic Games is the effort by US and Israeli intelligence agencies to delay the Iranian nuclear energy program in the attempt to both prevent weaponisation of nuclear energy, and also to provide delays which would allow diplomats more time to liaise. 302 Dan Goodin, “Discovery of New ‘Zero-Day’ Exploit Links Developers of Stuxnet, Flame,” Ars Technica, June 12, 2012, https://arstechnica.com/information-technology/2012/06/zero-day-exploit-links-stuxnet-flame/; Elinor Mills, “Shared Code Indicates Flame, Stuxnet Creators Worked Together,” CNET, June 11, 2012, https://www.cnet.com/news/shared-code-indicates-flame-stuxnet-creators-worked-together/. 303 Rossi Fernandes, “Flame Malware Controllers Send Uninstall Command,” Tech2, 11:02:51 +05:30, https://www.firstpost.com/tech/news-analysis/flame-malware-controllers-send-uninstall-command-3601111.html.


107

before the kill module was activated; any machine on which the kill switch had been used was

clean of all traces of the virus.

Flame was also purpose-built for espionage, unlike Stuxnet. The aggressive functionality for which

Stuxnet became so well-known affected physical elements of the Iranian nuclear program at

Natanz and also performed something of a psychological warfare operation; it both degraded the

centrifuges utilised for uranium separation in the plant and it encouraged the impression of

incompetence among the workers.304 Flame, however, has no such aggressive functionality; it is a

tool for intelligence collection, and even lacks Stuxnet’s uninhibited propagation. Flame can only

spread when the propagation module is activated by the controller and ordered to do so, and on

infection of a new machine that feature is in fact disabled. Had Stuxnet been built along the same

lines, it may not have been discovered so quickly; Flame was very much a purpose-built and tightly

controlled tool.

Flame is also a much larger piece of malware than Stuxnet, indicative of both the extensive

functionality and the effort involved in its creation. Like Stuxnet, Flame spreads via Local Area

Network (LAN), intranet, or USB drive rather than attached to emails or through file downloads

like more common varieties of malware. Unlike Stuxnet, its targeting was not limited to SCADA

industrial control systems: the virus is known to have targeted and compromised machines

belonging to individuals and groups.305 While these two examples of malware were written in

different programming languages and a majority of the code is different, there are enough

commonalities and shared features for experts to suggest that the two have common authors at

least in part. In particular, the obfuscation and detection prevention utilised by the authors of

Flame in combination with the extremely advanced code suggest that only “crypto mathematicians,

such as those working at NSA” would have the capability of authoring such a virus.306 Flame

masqueraded as a Microsoft update, with signed (though fake) Microsoft trust certificates, thus

defeating traditional anti-virus software.307

304 Zetter, “Meet ‘Flame,’ The Massive Spy Malware Infiltrating Iranian Computers.” 305 Gottlieb, “Flame FAQ: All You Need to Know about the Virus”; Zetter, “Meet ‘Flame,’ The Massive Spy Malware Infiltrating Iranian Computers.” 306 Ellen Nakashima, “US and Israel Credited with Shooting Iran down in Flame,” The Sydney Morning Herald, June 20, 2012, https://www.smh.com.au/technology/us-and-israel-credited-with-shooting-iran-down-in-flame-20120620-20ok3.html; Nakashima and Warrick, “Stuxnet Was Work of U.S. and Israeli Experts, Officials Say.” 307 Munro, “Deconstructing Flame.”


108

The alleged unilateral decision by Israel to deploy the virus onto Iran’s networks, including oil

fields systems, lead to the discovery of Flame.308 Had this not occurred, it isn’t clear whether or

not Flame would have continued to function undetected and if so, for what period of time. In

terms of counterintelligence, Flame certainly was more sophisticated than other malware thus far

discovered; its authors had actively considered both methods of obfuscation and concealment

while the virus was operational, and methods of concealment and deletion upon the virus’

discovery. The fact that it functioned for years without becoming known is proof enough that the

effort put into countering and overcoming cyber security functions on target machines was

considerable. However, that same evidence is proof of the failure of both cyber security and CCI

functions of the target machines and publicly available and widely-used software such as Microsoft.

While it is difficult to suggest alternatives to the current, reactionary nature of cyber security and

counterintelligence practices, it is clear that the offensive advantage of cyber explorations and

cyber-attacks has only grown. It is difficult to combat and subvert that which you cannot see and

of which you do not know. I would argue the Flame, perhaps even more so that Stuxnet, alerted

security and intelligence agencies and entities that cyberspace was an increasing risk and a serious

threat vector in the contemporary and digitalised era. While Flame posed no existential risks and

this did not contribute to the securitisation of cyberspace, it is my opinion that it did (and continues

to) contribute to its successful riskification, and the increase of risk management efforts. Flame

was a tool that was purpose-built for espionage, unintended for the sort of physical degradation

for which Stuxnet was designed. Like GhostNet, Flame was an explicitly intelligence-linked tool,

and once more brought to the fore the kinds of risk associated with the widespread diffusion of

access to cyberspace and the flow of information and data through global networked structures.

It identified the necessity of a greater understanding of, focus on, and utilisation of CCI measures

and processes.

Estonia 2007

Like Stuxnet, many studies have been made and articles written about the cyber-attacks against

Estonia in 2007.309 These attacks were an overt example of a sustained campaign against the cyber

308 Nakashima, “US and Israel Credited with Shooting Iran down in Flame.” 309 C. Czosseck, Rain Ottis, and Anna-Maria Talihärm, “Estonia after the 2007 Cyber Attacks: Legal, Strategic and Organisational Changes in Cyber Security,” International Journal of Cyber Warfare and Terrorism 1 (2011): 24–34, https://doi.org/10.4018/ijcwt.2011010103; Samuli Haataja, “The 2007 Cyber Attacks against Estonia and International Law on the Use of Force: An Informational Approach,” Law, Innovation and Technology 9, no. 2 (July 3, 2017): 159–89, https://doi.org/10.1080/17579961.2017.1377914; Rain Ottis, “Analysis of the 2007 Cyber Attacks against Estonia from the Information Warfare Perspective” (Tallinn: NATO Cooperative Cyber Defence Centre of Excellence, 2008), https://ccdcoe.org/library/publications/analysis-of-the-2007-cyber-attacks-against-estonia-from-the-information-warfare-perspective/; Richard Stiennon, “A Short History of Cyber Warfare,” in Cyber Warfare: A Multidisciplinary Analysis, ed. James A. Green (Oxon: Routledge, 2015), 7–32.


109

systems of a sovereign state, and considering that Estonia was then and is still now one of the

most highly networked states in the international system the loss of efficiency and access that the

campaign caused was of great concern. While the North Atlantic Treaty Organisation (NATO)

did not invoke the Article 5 defence clause,310 the attacks did generate significant interest in the

relative vulnerabilities of states to attacks with a cyber vector, and one of the eventual results of

the Estonia attacks was the NATO Cooperative Cyber Defence Centre for Excellence

(CCDCOE), headquartered in Tallinn, Estonia.311 Arguably, the Estonian attack and subsequent

response(s) are the most obvious examples of where a particular cyber event led to an elevation of

risks to threats, and long lasting geopolitical impacts.

The attacks themselves were not necessarily particularly threatening; defacement of government

websites and a massive dedicated denial of service (DDoS) attack against the financial

infrastructure of Estonia saw citizens unable to use online banking systems for several days.312

Estonia, one of the most Internet-dependent states in the world given its size, considers access to

the Internet as a basic human right, and has enshrined that right in its national constitution.313 The

cyber-attacks that it suffered in 2007, precipitated by a political decision to remove a Soviet-era

statue from a Tallinn city centre square, therefore proved most debilitating for the small state.314

Estonia, a former republic of the Soviet Union, has a significant percentage of native Russian

speakers in its population. These individuals protested the removal of the statue from where it had

stood since the days of the USSR, and these protests were seconded by the Russian government.315

Given the precipitating act and the disapproval of the Russian government, it was (and has been)

generally assumed that the Russian administration or those representing the administration

(officially or otherwise) were responsible for the cyber-attacks against Estonia, though they were

never fully and undeniably attributed. What these attacks did prove, however, is that cyberspace is

necessary for the daily function of life in a modern, networked state: it is a significant risk to have

access to that structure removed or made difficult. The defacement of the websites and the

310 See Joshua Davis, “Hackers Take Down the Most Wired Country in Europe,” Wired, August 21, 2007, https://www.wired.com/2007/08/ff-estonia/; Stephen Herzog, “Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational Responses,” Journal of Strategic Security 4, no. 2 (2011): 49–60; Damien McGuinness, “How a Cyber Attack Transformed Estonia,” BBC News, April 27, 2017, sec. Europe, https://www.bbc.com/news/39655415. 311 NATO News, “NATO News: NATO Opens New Centre of Excellence on Cyber Defence,” NATO News, 2008, https://www.nato.int/docu/update/2008/05-may/e0514a.html. 312 In fact, the Estonian systems were so besieged that the government took the Internet offline for several days, incurring further losses, in an attempt to subvert the attacks. 313 Visit Estonia, “E-Estonia | Why Estonia?” 314 Ottis, “Analysis of the 2007 Cyber Attacks against Estonia from the Information Warfare Perspective”; Stiennon, “A Short History of Cyber Warfare.” 315 Ottis, “Analysis of the 2007 Cyber Attacks against Estonia from the Information Warfare Perspective”; Stiennon, “A Short History of Cyber Warfare.”


110

breakdown of access to financial institutions suffered by the Estonians over the period of the

attacks also points to the general insecurity of both government and corporate websites and

structures, which is concerning in the extreme and also contributes to the elevation of cyberspace

out of the bounds of normal politics through the riskification process. The use of cyberspace and

cyber-enabled technologies, even in light of the knowledge that these technologies and structures

are vulnerable to hostile acts, makes it even more important that we analyse and understand the

security threats and vulnerabilities inherent in cyberspace, whether perceived, potential, or actual.

Moreover, with the development of the NATO CCDCOE and the subsequent release of

influential reports such as the so-called Tallinn Manuals on the application and relevance of

international law to cyber warfare and cyber operations,316 the attacks on Estonia provide one of

the most tangible and recognisable examples of how a specific cyber-attack led to an ongoing and

evolving elevation of cyberspace as a threat vector.

Georgia 2008

The year following the cyber-attacks aimed at Estonia, the neighbouring state of Georgia also

suffered a series of debilitating cyber incursions. Unlike in the Estonian case, however, the

Georgian government was subject to a series of cyber-attacks in conjunction with a ground

invasion of South Ossetia, a region of Georgia with a significant native Russian population.317 The

Russian government, under the pretence of protecting the native Russian inhabitants of South

Ossetia, crossed the Georgian border and took over the region.318 The cyber-attacks against

Georgia accomplished two things. First, they made it difficult for the Georgian government and

military to communicate and coordinate, as their communication lines suffered or were useless

throughout the cyber-aided ground campaign. Second, it proved that utilising cyber-attacks as one

element of a military campaign improved the efficacy and the impact of ground invasions. It also

proved that the Russian government was willing to conduct cyber-attacks when deemed necessary

316 NATO News, “NATO News: NATO Opens New Centre of Excellence on Cyber Defence”; Michael N. Schmitt, ed., Tallinn Manual on the International Law Applicable to Cyber Warfare, Tallinn Manual 1 (Cambridge: Cambridge University Press, 2013), https://www.cambridge.org/au/academic/subjects/law/humanitarian-law/tallinn-manual-international-law-applicable-cyber-warfare, https://www.cambridge.org/au/academic/subjects/law/humanitarian-law; Michael N. Schmitt and Liis Vihul, eds., Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, Tallinn Manual 2 (Cambridge: Cambridge University Press, 2017), https://www.cambridge.org/au/academic/subjects/law/humanitarian-law/tallinn-manual-20-international-law-applicable-cyber-operations-2nd-edition, https://www.cambridge.org/au/academic/subjects/law/humanitarian-law. 317 Miroslav Mareš and Veronika Netolická, “Georgia 2008: Conflict Dynamics in the Cyber Domain,” Strategic Analysis 44, no. 3 (May 3, 2020): 224–40, https://doi.org/10.1080/09700161.2020.1778278; Stiennon, “A Short History of Cyber Warfare,” 18–20. 318 Mareš and Netolická, “Georgia 2008”; Stiennon, “A Short History of Cyber Warfare,” 18–20.


111

in order to achieve the stated goals of the government, particularly in areas once part of the Soviet

Union, and still considered within the Russian sphere of influence and security.319

Given this operation came on the heels of the Estonian cyber-attacks of 2007, the Georgian

situation may not have securitised cyberspace outside the state being attacked, but as with the

Estonian attacks I would argue that Georgia contributed to the initial elevation of cyberspace in

military terms. It brought into sharp relief the ways that cyber-attacks could contribute in real

terms to military operations, and the kinetic difficulties that would ensue for the victim state if

their cyber defences were not, in turn, sufficient to the task of repelling a cyber assault. It also

made clear, if it had not been before, that whether or not all parties agree to the fact of cyberspace

being a war fighting domain, the fact of the matter is that governments and militaries are treating

it as such; all states must be prepared to defend their networks from malicious actors and attacks,

and also to utilise cyberspace as a tool of state power in offensive operations against actors with

hostile intent. To do otherwise would be foolhardy in the digitalised society of today.

In terms of the elevation of cyberspace to a security threat, as stated above, I would not consider

the Georgian attacks the instigating act of a securitisation in the sense of moving from second-

order acknowledged risk to first-order security threat. What the Georgian operation did was to

elevate the risk of future cyber-enabled military campaigns by bringing the existence of such into

the light, as it were, and making political and military elites aware of the dangers involved in conflict

when advanced communications technologies are both used and undermined by an opposing

party. In addition, attacks such as those on Estonia and Georgia do not just affect the victim states

in terms of military and political security; the loss of crucial financial and communications

infrastructures to the attacks can incur huge costs to the governing administrations of both states.

PRISM

Perhaps nothing in the history of cyberspace development has so effectively contributed to its

riskification and securitisation as the revelation of the NSA surveillance web. Unlike the cyber-

attacks associated with the Estonia and Georgia conflicts, the US was not in a conflict relationship

with the majority of parties upon which they were discovered to have been conducting

319 Ronald J. Deibert, Rafal Rohozinski, and Masashi Crete-Nishihata, “Cyclones in Cyberspace: Information Shaping and Denial in the 2008 Russia–Georgia War,” Security Dialogue 43, no. 1 (February 1, 2012): 3–24, https://doi.org/10.1177/0967010611431079.


112

surveillance.320 Through various cyber structures, the NSA was discovered to have a number of

programs running that enabled them to surveil and collect data on tens of millions of people,

including citizens of the US, across a broad range of sovereign states.321 Dragnet surveillance, as it

has come to be termed in the aftermath of the so-called NSA scandal, ensured that the NSA had

a vast quantity of data within which to search for data points relevant to their national security

intelligence requirements.322

Unfortunately for the NSA, when the program was discovered through the leaking of significant

quantities of information by ex-NSA contractor Edward Snowden, the public and private backlash

was immense.323 The sheer volume of data that the NSA was sweeping up in its dragnets concerned

citizens both foreign and domestic, and those affected by the surveillance ranged from the ordinary

individual up to world leaders, including spectacularly German Chancellor and American ally

Angela Merkel.324 As further information was released in the days and weeks following the initial

breaking of the story, the true extent of the American intelligence network came to the fore, and

brought intelligence into the public eye in a spectacular and negative light. Following the leaks, the

NSA is now one of the most well-known intelligence agencies in the world.

The Snowden leaks also exposed the sheer strength and extent of the intelligence collection

capacity of the US and its allies, as pertaining directly to digitalised data. Using a variety of

techniques, the NSA had (and likely still has) access to more information that it could ever possibly

analyse. Given the volume of digitalised information that could become actionable intelligence,

combined with the velocity at which the information is created and the inordinate variety of

information that is available, it is unrealistic to assume that dragnet surveillance, especially at the

level the NSA was conducting, will in fact make the US any more secure at the domestic or

international level.

320 Richard Lempert, “PRISM and Boundless Informant: Is NSA Surveillance a Threat?,” Brookings (blog), November 30, 1AD, https://www.brookings.edu/blog/up-front/2013/06/13/prism-and-boundless-informant-is-nsa-surveillance-a-threat/; T. C. Sottek and Janus Kopfstein, “Everything You Need to Know about PRISM,” The Verge, July 17, 2013, https://www.theverge.com/2013/7/17/4517480/nsa-spying-prism-surveillance-cheat-sheet. 321 Glenn Greenwald, No Place to Hide: Edward Snowden, the NSA and the Surveillance State (Melbourne: Hamish Hamilton, 2014). 322 Julia Angwin, Dragnet Nation: A Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance (New York: Henry Holt and Company, 2014). 323 Greenwald, No Place to Hide: Edward Snowden, the NSA and the Surveillance State; Lempert, “PRISM and Boundless Informant.” 324 Reuters in Berlin, “NSA Tapped German Chancellery for Decades, WikiLeaks Claims,” the Guardian, July 8, 2015, http://www.theguardian.com/us-news/2015/jul/08/nsa-tapped-german-chancellery-decades-wikileaks-claims-merkel; Ian Traynor, “Angela Merkel: NSA Spying on Allies Is Not On,” the Guardian, October 24, 2013, http://www.theguardian.com/world/2013/oct/24/angela-merkel-nsa-spying-allies-not-on.


113

One of the arguments used to justify dragnet surveillance is the practice of hopping, or networking:

tracing the communications of a known (and presumably wanted) individual in order to map his

network, the idea being that having access to all possible information will enable the mapping of

terrorist networks. The intelligence community being what it is, it is highly unlikely that the general

public will ever discover or be informed of whether or not this practice has actually succeeded in

increasing the (perceived) security of the USA, or in tracking down terrorist suspects and cells.325

What the NSA leaks did manage to do was prove beyond reasonable doubt that cyberspace was

most definitely exploitable, and was most definitely being exploited. This is a risk not just to states

but to all actors therein; the privacy debate came to the forefront of both public and government

consciousness, and has remained there in some fashion since.

In terms of riskification and securitisation, the Snowden leaks revealed to allies, enemies, and

parties neutral to the US that cyberspace was being actively navigated and exploited by the largest

intelligence community in the world. As further information was released and the extent of the

NSA's capabilities in cyberspace became clearer, so too did the political consequences of the

practice of dragnet surveillance. The suspicion of US intelligence agencies continues to this day,

and many books, articles and documentaries have been released that examine and analyse both the

material released by Snowden, and the direct and indirect consequences of those revelations.326

The Snowden revelations also revealed the UK’s Government Communications Security

Headquarters (GCHQ) and other Five Eyes partners were heavily engaged in global surveillance

in partnership with NSA. The value placed on global communications data as well as the

vulnerability of that data became extremely clear, and has continued to increase.

There can be no doubt, after the revelation of the exploitable capacity of cyberspace, that

increasing reliance on digital networks and cyberspace infrastructure without similar attention to

increasing the security of that infrastructure, as well as the applications and programs run on that

infrastructure, is increasingly dangerous. The practices that the US was conducting in terms of

exploiting the relatively insecure structure of cyberspace to the detriment of both enemies and

allies was unexpected in the extreme. Rather than increasing the security of the US through the

extension of intelligence networks and raw information sources, I would argue that, upon

discovery, the NSA dragnet practice decreased the overall security of the US as other actors in the

325 Quantifying something like this would be extremely difficult, if not impossible, as it would involve assessing people’s changed perceptions. 326 Angwin, Dragnet Nation; Greenwald, No Place to Hide: Edward Snowden, the NSA and the Surveillance State; Luke Harding, The Snowden Files: The Inside Story of the World’s Most Wanted Man (New York: Vintage Books, 2014).


114

international system began strengthening cyber programs in response to the (perceived) aggressive

stance of its government on use of cyberspace. Snowden’s actions in revealing the extent of

surveillance and the quantity of data being collected elevated the vulnerability of cyberspace in

terms of audience susceptibility to intelligence collection. It also showcased the lack of CCI

practices in place at individual through to state levels, highlighting the importance of increased

attention to CCI as well as the value of investing in the security and resilience to cyber-attack and

exploitation of individuals as well as governments.

Threat Elevation of Cyberspace

According to the elevation framework, there are a number of crucial elements to a securitisation

process, which I examine above. In addition, these elements contribute to a process which is

completed in stages, separating third order political issue from second order risk, and second order

risk from first order threat. The two processes that must be undertaken to move between these

orders are riskification (to go from political concern to risk), and securitisation (to go from risk to

(existential) threat). As has been discussed in the sections above, there have been a number events

over the course of the last several decades that have contributed to the overall perception of

cyberspace as a growing vulnerability and probable attack vector, as we become an increasingly

digitalised and informed society. Cyberspace is undoubtedly a domain in which intelligence

collection and exploitation occurs, and so efforts must be made not just to increase cyber security

in the form of defensive measures such as anti-virus and firewalls, but counterintelligence measures

in order to protect sensitive and proprietary information. The combination of cyber defence and

cyber counterintelligence will enhance the resilience of the state to cyber-attack and exploitation

— see Figure 1 The Elements of Cyber Security. It would be difficult to deny the fact that

cyberspace, while an integral part of everyday life for most, now presents almost as much a risk as

it does a benefit. And the key word to focus on there is risk. Despite the many cyberspace strategies,

agencies and departments within both civilian administrations and military hierarchies, and a

growing number of international agreements and treaties concerning cyberspace, I would argue

that cyberspace has not yet been securitised. It has, however, been successfully riskified.

This is not to say that the elevation process will stop at successful riskification. The validity of an

analysis performed according to the elevation framework does not expire upon the eventual

designation of risk rather than threat. Because there is no inbuilt mechanism in the elevation

framework that requires an analysis to be performed within a specified timeframe, and does not

require that the elevation process be conducted within a certain period of time in order to be valid,


115

it is possible to simply designate an elevation process as ongoing and worthy of further analysis.

In the case of cyberspace, this is exactly the conclusion at which I have arrived. While cyberspace

is admitted by many parties in the international system to present valid security risks, I would

hesitate to say that any actor with the legitimate authority to speak security for the state has framed

cyberspace (or the use/exploitation thereof) as an existential threat to the modern state. If

anything, despite cyberspace being acknowledged as a risk to state security, the uptake of cyber-

enabled technologies has actually increased rapidly, and it is highly probably that this will continue.

Conclusion: Riskified but Not Securitised

It may never be known by the public whether securitising moves have been made out of the public

eye; much of state capacity in and exploitation of cyberspace is highly classified – and rightly so.

If this argument were made for every international security issue, however, there would be no

political theory or framework that could produce conclusions worth anything at all. Every analyst

must work with, and produce conclusions from, the intelligence that is available to them at that

point in time; it is the same for social scientists. According to the precepts I have outlined for

elevation theory and the information available to the public, cyberspace has not been successfully

securitised. It has been riskified, and may in the future be securitised, but at this point has not been

identified and acknowledged as representing an existential threat to the state. No extraordinary

measures have been requested to mitigate the (potential) threats posed by the existence and

(foreign) exploitation of cyberspace, and, at present, the element of extreme necessity has not been

fulfilled. As cyberspace has developed and been riskified, actors that have chosen to utilise and

exploit cyberspace (from the casual individual user through to state representative entities) must

become familiar, at a minimum, with the basic concepts of cyber security, and act in such a way as

to maximise their own safety and security in cyberspace. A large part of that familiarity and practice

is the employment of (though not necessarily explicit understanding thereof) the principles of

counterintelligence, particularly at the level of state interaction.

Cyber counterintelligence practices will contribute to the overall cyber security of the state (or

other actor being analysed) through denying the adversary access or opportunity for intelligence

collection and exploitation, in addition to subverting intelligence operation undertaken through

cyberspace or cyber-enabled means. The identification and subversion of adversary intelligence

operations separate cyber counterintelligence from cyber defensive measures such as system

protection and the repulsion of attacks against systems, such as distributed denial of service. As

identified in chapter two, cyber counterintelligence consists of “the methods, processes and


116

technologies employed to prevent, identify, trace, penetrate, infiltrate, degrade, exploit and/or

counteract the attempts of any entity to utilise cyberspace as the primary means and/or location

of intelligence collection, transfer or exploitation; or to affect immediate, eventual, temporary or

long-term negative change otherwise unlikely to occur.”327 One such example of the use of

cyberspace for intelligence exploitation to effect negative change will be considered in the chapter

six discussion of disinformation, and the current failure to adequately elevate the risk to democratic

integrity of cyber-enabled disinformation campaigns.

This chapter has developed the threat elevation analysis framework, articulating the pyramidal

process of elevation through riskification and securitisation and identifying the applicability of a

modernised framework by which to trace the development of threats. It has contextualised the

elevation of cyberspace as a threat by providing examples of events through which cyberspace has

been elevated, concluding that at present cyberspace has been riskified. The next chapter uses the

threat elevation analysis framework to analyse how the perception of cyberspace as a risk to

national security has developed in the UK as a case study, and whether specific counterintelligence

practices or responses have developed in concert with the increased level of perceived risk.

327 O’Connor, 112.

117

4 - The United Kingdom: Tracing the Threat Perception of Cyberspace How has the state threat perception of cyberspace developed? Is any evolution of threat perception

correlated to the development of counterintelligence responses to cyber-enabled disinformation?

In order to begin answering these questions, this chapter uses threat elevation analysis to trace the

development of the threat perception of cyberspace in the United Kingdom (UK). By identifying

and tracing the evolution of the way the UK frames cyberspace in national security documentation

(the ‘official view’), this chapter seeks to identify the extent to which the threat of cyberspace has

been elevated in the UK. An assessment of the threat elevation of cyberspace provides a partial

explanation for attitudes in the UK not only to cyberspace, but to its perception of risk and threat

in the national security space. If the threat perception of cyberspace has been either riskified or

securitised, then there should also be an evolution in the approach to cyber security and cyber

counterintelligence (CCI) practices that can be ascertained through process tracing and discourse

analysis. This will lay the foundation of, and inform, subsequent chapters, which will examine CCI

and establish the audience as a threat vector and security vulnerability in considering cyber-enabled

disinformation as a threat to democratic integrity.

The examination of Stuxnet in chapter three identified the importance of the human factor both

in conducting espionage operations, and in considering counterintelligence measures to combat

them. The psychology of the audience – their perception of the cyber domain and the risks therein

– will directly affect not only implementation of general cyber security and specific cyber

counterintelligence measures, but their susceptibility to adversary intelligence operations such as

disinformation campaigns. CCI practices, best designed and implemented, need to recognise the

influence of perception – psychology – on how CCI practices can and will be understood and

employed. One way of assessing how these practices develop is the case analysis of how an actor

has elevated the threat perception of cyberspace and whether management and mitigation

measures such as CCI have developed contemporaneously.

The UK was selected as the case study for analysis for a variety of reasons, chief amongst which

was their history of publishing their national security strategy documentation for public

consumption and analysis. I have selected nine official documents that the UK published across

the selected period of analysis – 2008-2018 – related specifically to national defence and security,

which are analysed in the following sections. A second reason for choosing the UK as the subject

of analysis is its status as a fully developed Western-style liberal democracy; by analysing its

response to specific issues, potential lessons can be derived from the experience and responses of

Chapter 4 – The United Kingdom

118

the UK to best inform the national security and intelligence policies and frameworks of nations

developing along the same political path. While not all states will be subject to the same national

security risks and threats or have the same intelligence and security requirements, there will still be

valuable lessons to learn in terms of how the UK responded to threats which do apply to most

modern states, such as those enabled by cyberspace and cyber-physical networks and technologies.

Finally, the UK is part of the Five Eyes intelligence cooperation network, comprised of the UK,

the United States of America (US), Canada, Australia, and New Zealand (NZ). By analysing how

a mature democracy like the UK has responded to and countered (or not) risks and threats in

cyberspace, its intelligence and security partners, and other allies, can judge the success or failure

of various countermeasures and strategies to build upon or develop their own. In analysing the

national security documentation of the UK, we see that the threat perception of cyberspace has

been elevated. This chapter thus shows the utility of threat elevation as an analytical tool, as well

as showcasing the changing treatment of cyberspace in the national security area.

Document Selection and Justification

In selecting which sources to examine for a case study that analyses the threat elevation of

cyberspace and the evolution of a concept like counterintelligence, and how these affect

disinformation, it is readily apparent that analysis must occur at the state level. How governments

understand these concepts and enshrine them into policy directly affects the deployment of

resources to resolve the problems that arise. Directives issued at the state level serve the purpose

of both dictating domestic policy and foreign engagement as well as signalling state position to

adversaries. Official government documents, in the form of national and cyber security policies

and frameworks, are the best fit for such an evaluation. They represent both the contemporary

understanding of the governing Administration of the threatscape at the time the document was

published, as well as what the forecasted risks and threats would be and, to an extent, how the

state would respond to those risks and threats. As such, for the period under review (2008-2018),

nine documents were selected. These documents include national security strategies; strategic

defence and security reviews; a national security capability review; and cyber security strategies.

Nine documents across a period of one decade should provide sufficient documentation to prove

whether or not threat elevation or attenuation has occurred as expected, and whether or not there

have been risk management and/or threat mitigation measures put into place to support either an

elevation or an attenuation.


119

CCI and the Current Threat Environment

As will be seen in chapter five, counterintelligence has had to evolve in order to treat security

concerns in a cyber-enabled age. The threat landscape has shifted, and citizens of target states are

regularly the intended audience of cyber-enabled disinformation campaigns intended to instigate

political of behavioural shifts that will benefit the adversary. There are a greater (and increasing)

number of capable actors in cyberspace with which the intelligence and security apparatuses must

contend, increasing the requirement on citizens to contribute to the overall resilience and security

of the state in cyberspace. Because CCI is a relatively recent field in comparison to traditional (non-

cyber) intelligence and counterintelligence, a significant amount of inference needs to be done in

order to ascertain how the discipline is understood and how it has developed. Additionally,

audience perception and psychology have a significant degree of importance in term of the uptake

and implementation of CCI measures at all levels of analysis, so an examination of CCI in the

current threat environment must take into account several elements.

First, how the state (or other actor) in question perceives cyberspace on the spectrum of concern

through to threat, and whether that has evolved across a selected period of time. Second, whether

there is a recognition or acceptance of the role of intelligence and security agencies in the resilience

and security of cyberspace. Third, whether there has been a recognition that in the cyber-enabled

age, the audience (i.e., the citizenry) of a highly-networked society is both a vulnerability and a

threat vector, particularly in terms of information warfare and intelligence collection and

exploitation. There are few states with sufficient commitment to policy transparency and a high

degree of network connectivity for which there is sufficient national security documentation to be

able to infer answers to these questions. The UK has sufficient commitment to both, as well as

recent exposure to adversary information operations, and as such is a good candidate for an

analysis of the evolution of perceived threat of cyberspace and contingent development of cyber

counterintelligence. This will provide an understanding of how a state is perceiving and reacting

to the current threat environment.

Analysis: National Security Strategies and Strategic Defence and Security Reviews

This qualitative documentary analysis is split into two broad sections; general national security

documentation, followed by cyber-specific security documentation, with both sections presented

in chronological order of publication. This is intended to show the elevation (if any) of cyberspace

as a threat in general national security terms before moving into cyber-specific documentation,

which will necessarily present a greater perception of risk and threat from one vector than would


120

a general national security document. Within each documentary analysis, the examination is

presented in terms of identifiable threats and drivers. Considered in this section are the 2008

National Security Strategy; the 2009 Update to the 2008 National Security Strategy; the 2010

National Security Strategy; the 2010 Strategic Defence and Security Review; the 2015 National

Security Strategy and Strategic Defence and Security Review; and the 2018 National Security

Capability Review.

2008: The National Security Strategy of the United Kingdom: Security in an Interdependent World

The 2008 National Security Strategy of the United Kingdom was the first articulated, published

national security strategy of that country.328 Considering the recent and contemporary history at

the time the 2008 Strategy (henceforth ‘the Strategy’) was written, it is expected that there will be

several overarching themes such as terrorism/counterterrorism; transnational crime; and failed or

failing states. The assumption going forward will be that the overarching identified ‘threats’ to

national security will peak and, according to the elevation theory framework upon which this thesis

is based, then be attenuated as the threat is downgraded through mitigation and (risk) management.

Threats and Drivers

The Strategy identifies five particular threats or areas of threat: international terrorism; weapons

of mass destruction; conflicts and failed states; pandemics; and transnational crime. These threats

are then assumed to be related to; caused by; or otherwise exacerbated by five drivers: climate

change; competition for energy; poverty and poor governance; demographic changes; and

globalisation.329 There is a particular focus on (international and/or transnational) terrorism as the

greatest threat faced by the UK at the time of publication, and presumed into the near-middle

future. This assumption is threaded throughout the 60-page document, coupling the dangers and

consequences of (varieties of) terrorism with the other identified threats and drivers.

Importantly for this thesis, in talking about the threat of terrorism against the UK, the Strategy

mentions for the first time the potential for ‘electronic attack’ in Chapter 3 (Security Challenges).330

Interestingly, and somewhat frustratingly, there follows no articulation or definition of the term,

and it appears only three times throughout the course of the document. What does follow is a

328 Cabinet Office of the United Kingdom, “The National Security Strategy of the United Kingdom: Security in an Interdependent World” (The Stationery Office, 2008), https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/228539/7291.pdf. 329 Cabinet Office of the United Kingdom, 3. 330 Cabinet Office of the United Kingdom, 10 para 3.6.


121

discussion of the merits and dangers of technological innovation and complexity, as well as the

dangers of complex interdependence in terms of global communications. It is within this section

that we see the first use of the term “cyber-attack”; once again, however, there is neither a

preceding nor subsequent discussion of how the term is understood and applied by the UK

government, nor how the threat of cyber-attack is being/will be mitigated.331 Additionally, there is

no recognition of the intelligence collection and exploitation potential of cyberspace, from which

we can infer that recognition of the necessity of CCI within the United Kingdom at this time was

likely negligible.

A strong theme that emerges in the Strategy is the acknowledgement of non-state actors as a

growing (and prominent) element of the national security threatscape. While the 2008 Strategy is

the first of its kind from the UK, the inference can be made that the appearance of non-state actors

on the national radar as threatening to the state is a novel occurrence.332 It should be noted here

that, while non-state actors are acknowledged in this Strategy as a legitimate threat against the state,

the broad inference that can be made of the national security discussion therein is that the potential

for hostile action that could present an existential threat against the state (the UK) remains in large

part with hostile states rather than non-state actors, regardless of reputation or combative history.

Throughout the sections concerning the threat capacity of both states and non-state actors is a

pervasive theme relating to the varieties of terrorism, the overall existence of which is deemed to

be the greatest contemporary threat to the security if the UK. Additionally, it is assumed (forecast)

that terrorism (regardless of variety) will continue to be one of, if not the greatest threat to be faced

by the UK in the foreseeable future.

There seems to be an ambiguity of meaning and a lack of concentration on cyber-attacks or

electronic attacks in the Strategy itself. Both terms are used, but there is no differentiation between

or articulated understanding of either. While this could have been an oversight, considering there

was no (limited or otherwise) summary or dictionary of terms published with the Strategy, there is

no way to be certain whether or not these terms were used to refer to the same thing, or to different

concepts altogether. Additionally, the term “technical attacks” is used in Section 3.26,333 but it

seems to be used as a synonym for electronic attacks or cyber-attacks; again, there is no articulation

331 Cabinet Office of the United Kingdom, 21 paras 3.47-8. 332 Cabinet Office of the United Kingdom, 22 para 3.53. 333 Cabinet Office of the United Kingdom, 16.


122

of meaning attached to the phrase.334 Given the growing importance of cyberspace even in the

mid-2000s, it is somewhat confusing that a clarified definition of national security terms was

neither provided at the time of the Strategy’s release, nor in the updates that followed.335 This

despite the fact that information and communications systems were considered (at minimum) to

be one of the UK’s vital security interests.336

While there is no explicit reference in the Strategy to counterintelligence (either cyber- or

traditional), it can be inferred from paragraph 4.66 in Chapter 4 that the UK considers cyber-

attacks to be part of the intelligence field;

On Intelligence, in addition to the major effort required to tackle the current level of terrorist threat, the security and intelligence agencies will continue to protect the United Kingdom against covert activity by foreign intelligence organisations aimed at political, economic and security targets, including cyber-attack [sic].337

“Cyber-attack” as used here could be inferred as a catch-all phrase intended to include espionage

and intelligence operations given the context in which the phrase appears. Per the definition

provided in chapter two of this thesis, cyber counterintelligence is certainly intended to subvert

the covert cyber activities of foreign intelligence services, though the recognition above is a limited

acknowledgement of adversary cyber intelligence and exploitation operations. It is worth noting,

however, that even where the discussion turns to the intelligence and security services (and their

practices and mandates), which is not at all frequently, the discussion is often linked or in relation

to issues of terrorism and/or counterterrorism. For example, there is reference to “covert

intelligence” for the purposes of detecting and disrupting “the terrorist threat” on page 25 of the

Strategy, but for no other purposes throughout.

Based on the themes and drivers discussed (and inferred) from the 2008 Strategy, there is potential

to examine the UK security strategies for both threat elevation and threat attenuation of

cyberspace.338 Consideration of the perceived threat from cyberspace was low in the 2008 Strategy,

334 While the US Department of Defense has released (and semi-regularly updates) their Dictionary of Military and Associated Terms, to my knowledge they are the only one of the Five Eyes states to have done so. See Joint Chiefs of Staff: http://www.jcs.mil, “DOD Dictionary of Military and Associated Terms (June 2018)” (United States. Joint Chiefs of Staff, June 1, 2018), https://www.hsdl.org/?abstract&did=. 335 Considered in subsequent sections. 336 Cabinet Office of the United Kingdom, “The National Security Strategy of the United Kingdom: Security in an Interdependent World,” 44 para 4.63. 337 This section of the Strategy considers cyber-attacks in the explicit context of intelligence (and thus counterintelligence). Cabinet Office of the United Kingdom, 44. 338 There is also the potential to analyse the elevation and attenuation of threat through the treatment of terrorism, though an in-depth analysis is beyond the scope of this thesis and will be restricted to minor commentary in favour of the threat elevation analysis of cyberspace.


123

particularly in comparison to threats such as terrorism. Given this low starting position, there is

scope to observe whether or not the threat perception of cyberspace was elevated in subsequent

national security documentation.

There is a commitment to a ‘high-technology’ approach to national security in the Strategy, without

specific articulation of what this necessarily means or what the vulnerabilities of this approach

might be. Despite this ambiguity, we can infer that complex information and communications

technologies, in conjunction with the growing need for and reliance on cyberspace, will influence

and affect the ways in which the UK understands and approaches the protection of national

security. The Strategy does detail the threat levels according to which the UK views risks and

threats; these can be found in the Strategy endnotes,339 and roughly correlate to the

elevation/attenuation structure in Figure 5 - Securitisation and the orders of concern.

The UK threat levels consist of low (attack unlikely); moderate (possible but unlikely); substantial

(strong possibility); severe (high likely); and critical (imminent danger). I consider these threat levels

roughly equivalent to the stages of threat elevation: something is low risk when it is a third order

political concern, though if elevating acts or moves occur, it riskifies (moves to moderate threat)

and either stabilises at substantial (second order risk), or securitises (becomes a severe threat) and

becomes a first order threat (critical danger).340 That the UK has a structure for understanding

threats that accords roughly with the threat elevation analysis framework I consider to be a

validation of the framework itself, and justification of continued research using the elevation

structure for ex post facto analysis of rising threats.

In terms of specific intelligence and counterintelligence foci or requirements, paragraph 4.39

admits to the need for an expansion of analytical capacity over and above current levels, claiming

that the Administration would “continue to strengthen our national analytical capacity for early

warning and strategy development...”341 Understandably for a public document, the focus on

intelligence and security agencies, capacities, and shortcomings is brief and vague; inference is a

subjective practice, but where this has occurred for the purposes of qualitative analysis, I will

acknowledge this explicitly. Overall, the 2008 Strategy forms a good foundation for the analysis of

the UK’s threat perception of cyberspace and whether it has been elevated across the period under

339 Cabinet Office of the United Kingdom, “The National Security Strategy of the United Kingdom: Security in an Interdependent World,” 61. 340 Cabinet Office of the United Kingdom, 61. 341 Cabinet Office of the United Kingdom, 37.


124

examination, 2008-2018. There also appears to be scope for an analysis of the development of CCI

in the UK. Subsequent chapters will develop the concept of CCI and how the human factor in

CCI is crucial to building resilience to threats such as the negative effects of disinformation.

2009: Update to the National Security Strategy of the United Kingdom: Security for the Next

Generation

In the 2009 Update (henceforth “’09 Update”) to the original 2008 National Security Strategy,

there is an immediate acknowledgement in the executive summary of the increasing importance

of ‘cyberspace’ to the national security of the UK – the first time the term is used in either

document.342 Following the practice in the 2008 Strategy, the term is used without an

accompanying definition. The ’09 Update follows the original structure and complement of themes

and drivers set out in the 2008 Strategy, though goes into considerably more detail: whereas the

2008 Strategy comprised 60 pages, the ’09 Update contains 112. In the consideration of ideology

as a driver of security threats, the ’09 Update links ideology to violent extremism and makes a

point of identifying both ethnic and nationalist ideologies, as well as religious ideologies, as having

the potential to threaten the security of the UK.343 In general terms, the ’09 Update seems markedly

more comprehensive and in-depth than the original 2008 Strategy, which can perhaps be explained

by having learned from the original drafting process and the feedback received since the

publication of the first.

Threats and Drivers

Important for the purposes of this thesis, and the test of threat elevation theory, is the fact that

the ’09 Update contains a section specific to cyber security,344 which, as previously mentioned, only

appeared infrequently in the 2008 Strategy, and then mostly by inference or oblique reference.

Regarding the discussion of cyberspace generally and cyber security specifically, an interesting

theme that emerges in the ’09 Update is the tendency toward analogising these with global and

national health, at one point specifically referring to the “health of cyber space.”345 Whether this is

a conscious or unconscious decision, perhaps to make the cyber domain and the concerns therein

more comprehensible to non-experts, is unclear. The health analogy does not continue in later

342 Cabinet Office of the United Kingdom, “The National Security Strategy of the United Kingdom: Update 2009” (The Stationery Office, 2009), 7, http://www.cabinetoffice.gov.uk/media/216734/nss2009v2.pdf. 343 Cabinet Office of the United Kingdom, 10. 344 Cabinet Office of the United Kingdom, 13. 345 Cabinet Office of the United Kingdom, 13 para 47.


125

strategies and reviews; I infer that it was used initially to encourage understanding based on existing

frames of reference before being discarded in favour of area-specific terminology and analysis.

The ’09 Update also recognises the instantaneous nature of information and public opinion in the

digital era, tying that concern into the information operations domain.346 More so than the 2008

Strategy, the ’09 Update goes into further detail on the different elements of, and risks/threats to,

the national security of the UK, and information operations both by and against the UK. This is

also the earliest acknowledgement I have found which explicitly recognises the effect — perhaps

circular — of information operations on public opinion and therefore the national security and

political sovereignty of the UK. It can be considered as early recognition of the impending security

issues concerning psychological operations and democratic resilience and integrity.

Overall, the ’09 Update seems to articulate and operate on the idea that cyber space is a domain

through which threats (including other actors, both state and non-state) are enabled or delivered,

rather than a disparate threat.347 This seems to correlate to the hypothesis (outlined earlier in this

thesis) that cyberspace is an enabling overlay to the physical domains of land, sea, air, and space.

There is an elevation of perceived threat in subsequent strategies of the potential danger of

cyberspace in terms of the possible consequences to national infrastructure and interests, but the

continuing understanding is of cyberspace as a vehicle for traditional threats rather than a threat

itself. In the context of the current focus on the vulnerabilities of cyberspace and ongoing instances

of cyber-attacks and exploitations, it is an intriguing position to take. Despite the heightened focus

on cyber space in terms of national security, however, there is a continued emphasis on, and

awareness of, the terrorist threat/s against the UK and the probability of (further) kinetic attacks.348

Interestingly, despite cyberspace being identified as a new “area through which (the UK) may be

threatened,”349 there was no concurrent identification of cyber or electronic warfare as a specific,

disparate threat. Nor was there an explicit recognition that beyond destructive options, cyberspace

is also a domain in which intelligence collection and exploitation is likely to occur. The

announcement is made that, accompanying the ’09 Update to the 2008 National Security Strategy,

there would be a side-by-side publication of the first UK national cyber security strategy (see later

sections of this chapter for the analysis of that document).350 This announcement, in combination

346 Cabinet Office of the United Kingdom, 15 para 50. 347 Cabinet Office of the United Kingdom, 20 para 2.6. 348 Cabinet Office of the United Kingdom, 22 para 2.22. 349 Cabinet Office of the United Kingdom, 27 para 3.6. 350 Cabinet Office of the United Kingdom, 31 para 3.11.


126

with the link made between, and articulation of, the UK’s intelligence services and the development

of defences against cyber threats, does lend credence to the idea that CCI measures are an

increasingly important item on the British national security agenda.351 This is the first explicit

evidence we see of elevation occurring in the ’09 Update that identifies an evolution in threat

perception.

Another term that appears for the first time in the ’09 Update is “cyber technology”,352 used in

relation to the concept of technological innovation and how that has/will have negative as well as

positive consequences for national security, particularly for the UK, but also globally. The Strategy

identifies the potential exploitation of such technologies by “terrorists and organised criminal

groups, or others with malicious intent as a negative consequence of technological innovations in

cyberspace”.353 Once more, this is linked to the overarching theme of terrorism/counterterrorism

as relates to the UK, but this concept can be applied to all sectors of security. In fact, the ’09

Update refers frequently to advances in (communications) technologies in the economic and

environmental sectors, as well.354 The application of CCI measures and practices is particularly

relevant to multi-sectoral security problems such as disinformation, much if which is now

transmitted on advanced telecommunications and social media platforms. Pandemic

disinformation in relation to the COVID-19 pandemic, for example, affects multiple security

sectors and will be considered further in chapter six. This change from the previous Strategy

suggests that we are seeing the first evidence of the threats from cyberspace being elevated. With

respect to the terrorist use of cyberspace, cyber counterintelligence operations are a likely

consequence given that one purpose of CCI is to trace, identify, and subvert actor using cyberspace

to effect negative outcomes. While this is not identified, it is implicit according to an understanding

of counterintelligence in cyberspace.

This contributes to the evolving idea that although it is unlikely that the UK will/would face hostile

military action from another state that would “threaten the independence, integrity and self-

government of the UK”, there is a potential for non-military state threat in less traditional domains,

though these aren’t specifically articulated.355 State-sponsored or -supported actors, for example,

have engaged in or signal-boosted disinformation campaigns with direct and negative

consequences for British infrastructure, democratic integrity, and future security – chapter six will

351 Cabinet Office of the United Kingdom, 34 para 3.31. 352 Cabinet Office of the United Kingdom, 40 para 4.16. 353 Cabinet Office of the United Kingdom, 40 para 4.16. 354 Cabinet Office of the United Kingdom, 40 para 4.16. 355 Cabinet Office of the United Kingdom, 41 para 4.20.


127

consider this in-depth. While there is an articulation of the potential of some states looking “to

develop cyber-attack capabilities” later in the ’09 Update,356 it would be difficult to say that the

recent and current situation could have been foreseen or mitigated. Indeed, foreign interference in

democratic processes, and particularly in elections, has become one of the foremost security issues

from Western democracies.357

One of the elements of UK national security that lends force to the threat of foreign interference

is that, largely as a consequence of globalisation and complex interdependence with the

international community of states358 (which is only in part due to previous membership with the

European Union) it is practically impossible to separate the domestic security of the UK from

international security.359 The interconnected nature of the international economy, the alliance

structures that have developed over decades, and even the contemporary nature of social and

cultural interchange, have resulted in an international system wherein the security of one state can

be (and often is) influenced and affected by other states, just as those states are also influenced

and affected. Nor is it necessary for those states to be geographically contiguous to have complex

security interdependencies; consider the relationship of the UK’s security to that of the US. The

economic, political, and strategic stability and integrity of the US impacts many states, including

the UK, by virtue of complex economic, socio-political, and security relationships.

These elements all add to the development within the ’09 Update of the understanding that

technology is a driver of both innovation (in a positive sense) and insecurity (in a negative sense),

and thus should be both exploited, and mitigated against, for the purposes of security. One

particular threat that is articulated and discussed is that electronic communications and

information systems are a threat vector (vulnerable to attack); given the contemporary reliance on

such systems and even the levels of reliance in the mid-2000s, this is a significant vulnerability and

a particular cyber counterintelligence problem.360 In terms of both system and information

integrity, there needs to be an evolution of understanding in how to both identify and subvert

356 Cabinet Office of the United Kingdom, 42 para 4.23. 357 See Adam Henschke, Matthew Sussex, and Courteney O’Connor, “Countering Foreign Interference: Election Integrity Lessons for Liberal Democracies,” Journal of Cyber Policy 5, no. 2 (2020): 180–98; Karen Yourish, Larry Buchanan, and Derek Watkins, “A Timeline Showing the Full Scale of Russia’s Unprecedented Interference in the 2016 Election, and Its Aftermath,” The New York Times, September 20, 2018, https://www.nytimes.com/interactive/2018/09/20/us/politics/russia-trump-election-timeline.html. 358 Bilateral and multilateral treaties and agreements as well as the economic complexities of the global liberal capitalist system have resulted in close (and often fraught) ties between nations. 359 Cabinet Office of the United Kingdom, “The National Security Strategy of the United Kingdom: Update 2009,” 49 para 5.4. 360 Cabinet Office of the United Kingdom, 50 para 5.8.


128

adversary attempts to exploit these systems without degrading or destroying them (CCI). What is

not discussed, however, is what should or could be done in order to harden and stabilise these

critical systems against interference or outright attack (overall cyber security). Moreover, while we

are seeing the first evidence of cyberspace being elevated, the focus in the ’09 Update is on the

technology more broadly. As will be discussed in detail in my examination of the rise of

disinformation in chapter six, effective CCI needs to include human factors as essential to any

effort to harden vulnerable systems.

Directly relevant to the discussion within this thesis on the development and evolution of CCI,

the UK’s ’09 Update does view the amalgamation of espionage with cyberspace as a possible non-

military action that can be used against the state to threaten stability, though this is not widely or

deep considered.361 Accordingly, the acknowledgment of the necessity for CCI can be inferred

from statements that confirm that “the UK already faces a sophisticated and pervasive threat from

hostile foreign intelligence activity, much of which is conducted in the cyber domain.”362 The

recognition of a ‘sophisticated and pervasive threat’ emanating from the cyber domain is an

important elevation in published threat perception of cyberspace as a location for intelligence

collection and exploitation. It links the cyber domain explicitly with adversarial intelligence activity,

which implies a necessity of body or function to guard against such activity: by definition, this

elevation requires a management response of CCI.

There is a much greater focus in the ‘09 Update on the role and function of the intelligence and

security services than appeared in the original 2008 Strategy. In keeping with the ‘09 Update’s

theme of internationalism, there is also explicit mention of the role and function of the security

and intelligence services of the UK’s allies in the safekeeping of British national security:

Some hostile state actions, particularly in times of conflict or heightened tension, could be carried out overtly but many will be covert. Our security and intelligence agencies, together with those of our allies, play a critical role both in providing insight and early warning on states’ capabilities and intent and in enabling us to best mitigate or defend ourselves against specific threats.363

Again, the importance of counterintelligence can be inferred here, particularly when the

articulation of ‘specific threats’ is made; safeguarding the nation’s security and secrets are the key

responsibilities of the counterintelligence practitioner. Though there is no particular mention of

cyber or cyberspace in relation to the preceding quote or the inferential discussion on

361 Cabinet Office of the United Kingdom, 65 para 6.6. 362 Cabinet Office of the United Kingdom, 66 para 6.8. 363 Cabinet Office of the United Kingdom, 68 para 6.12.


129

counterintelligence, considering the focus on ‘high-technology approach’ and repeated mention of

information and communications technologies, I believe it to be a fair assumption that some of

the foreseen ‘specific threats’ either take place in, or are enabled by, cyberspace. While there is a

statement on the importance (and utility) of aggressive forms of intelligence and

counterintelligence to national security, it is once more articulated in specific reference to the

terrorist threat against the UK rather than as a general assumption of practice.364 There is also an

announcement for significantly increased funding towards counterterrorism and intelligence,

though unqualified (as may be expected in an unclassified document).365

In the ‘09 Update, cyberspace is recognised as a domain within which threats to national security

can arise and through which they can be delivered or enabled. However, it is not considered a

specific threat in and of itself.366 Linked to the concern surrounding future terrorist threat and the

ongoing recognition of weapons of mass destruction (WMD) as a national security threat, the fear

of terrorists gaining knowledge of chemical, biological, radiological or nuclear (CBRN) technology

is articulated in Chapter 7 in connection with widespread use of and access to the internet.367 That

access to the Internet gives individuals and groups access to potentially dangerous information,

and has made information on CBRN devices potentially more readily available to interested parties.

In combination with dual-use technologies, the UK assesses the threat of terrorists gaining CBRN

capabilities through greater informational access via the Internet as concerning.368 In situations like

this, the state can and should utilise CCI as knowledge of who is interested in and displays an

intent to acquire or use these technologies is relevant to national security. Identifying and tracking

these actors through (their use of) cyberspace is a direct form of CCI as defined in this thesis.

Admittedly, the assertion is made that “[i]n the technological domain, the need for security in cyber

space [sic] is now a pressing concern.”369 However, there is no subsequent discussion of the

potential elements or requirements of how this problem could or should be solved. Lacking even

a definition of what a (more) secure cyberspace actually looks like, the reader is once again left

with more questions than answers. What is a secure cyberspace? How is the UK defining either

the space, or the characterisation of ‘secure’? What are the building blocks of a more secure

cyberspace? How will the UK address the threats and risks that it has identified or forecast, and in

364 Cabinet Office of the United Kingdom, 78 para 6.37. 365 Cabinet Office of the United Kingdom, 80 para 6.42. 366 Cabinet Office of the United Kingdom, 93 para 7.2. 367 Cabinet Office of the United Kingdom, 95. 368 Cabinet Office of the United Kingdom, 95 para 7.7. 369 Cabinet Office of the United Kingdom, 99 para 7.27.


130

what ways? The 2009 Update undoubtedly contains the first steps toward the threat elevation of

cyberspace in the UK national security documentation, following on from the 2008 national

security strategy. The security authorities of the UK government are building their awareness and

understanding of the threat potential of cyberspace. That these questions are unanswered only

points to the need for a greater focus on, and understanding of, CCI at the state level, as well as

the necessity of a holistic approach to the management of cyberspace-enabled risks.

The ’09 Update differs significantly from the original 2008 Strategy in that it does devote a section

of the document explicitly to cyber security: paragraphs 7.35 through 7.44 deal explicitly with

observations about the relative (in)security of the cyber space. According to the ’09 Update, the

“cyber space encompasses all forms of networked, digital activities; this includes the content and

actions conducted through digital networks.”370 While this may be a workable definition of cyber-

enabled actions, as a description of cyberspace in itself, it is somewhat lacking: it doesn’t include

the cyber-physical infrastructure upon which cyberspace rests and through which information and

communications are conveyed. There is a potential for this definition to require the response to

disinformation as both content and activity conducted through digital networks, which would

engender both overall cyber security requirement as well as specific cyber counterintelligence

measures (in regards to specific campaigns and operation). A particularly insightful section dealing

with the potential threats that are enabled by cyberspace identifies the ease of entry and the

varieties of attacks that can be perpetuated at relatively low cost to include both espionage and

disinformation:

The asymmetric, low cost, and largely anonymous nature of cyber space makes it an attractive domain for use by organised criminals, terrorists, and in conventional state-led espionage and warfare. Those with hostile intent can, for whatever reason, use a variety of methods of attack…to gather intelligence, spread false information, interfere with data or disrupt the availability of a vital system.371

Left unarticulated is the fact that all these elements, while they are potential threats against the UK

(and all states with digital presences), the UK can also take advantage of these elements in its own

pursuit of national security. Positive use of the Internet to gather intelligence; spread false

information; interfere with data or disrupt the availability of a vital system, etc. have all been

demonstrated over the last decades (and increasingly in contemporary times), and all have

370 Cabinet Office of the United Kingdom, 102 para 7.35. 371 Cabinet Office of the United Kingdom, 102 para 7.37.


131

moreover been demonstrated against the UK.372 However, the same systems and methods used to

conduct operations against the UK can also be used by the UK against hostile parties; the same

exploits and malware used against the UK can in turn be exploited and used by the UK. This is

one of the key features of counterintelligence, and evidence of the importance of CCI being

systematically understood and employed. While active and proactive CCI (see chapter five) are

more relevant to state actor operations, the education of the public (the audience) in basic CCI

practices will contribute to the aggregate cyber resilience and security of the UK, which will be

considered further in chapters five and six.

One particularly important instance of an elevating act directly relevant to the cyber security of the

UK arises in the latter paragraphs of the cyber section, specifically in 7.41, with the creation of the

Office of Cyber Security (OCS), intended to coordinate a cyber framework and policy.373

According to elevation theory, the creation of an agency, department or branch is an elevating act

most likely to occur in an attempted risk management process (following the elevation of perceived

risk of an issue, but lacking the elements of existential danger and immediacy of a securitisation).374

While cyberspace has been framed as an increasing risk in the ’09 Update, it remains to be seen

whether any single act can be said to support the claim of a securitisation process having been

instigated. The additional creation of the Cyber Security Operations Centre (CSOC) is further

evidence to the increasing acknowledgment of, and threatening nature of, threats enabled or

conducted by and through cyberspace.375 The highly interconnected nature of public opinion and

(the security of) cyberspace is also specifically acknowledged.376 While the potential effects of that

relationship on the national security of the UK are briefly considered, with the benefit of hindsight,

this could have been more deeply explored and the public more broadly educated on the

interactions of cyber-enabled technologies and the public space. A holistic approach to conducting

CCI for the benefit of individual and state security requires the recognition of threats to audiences

as well as infrastructure, given the human element is an irrevocable part of cyber resilience and

security. The importance of considering the education, as well as the protection of the public in

372 Disinformation will be discussed further in chapter six. See also Karim Amer and Jehane Noujaim, The Great Hack, Documentary, 2019, https://www.netflix.com/au/title/80117542; Bradshaw and Howard, “The Global Disinformation Order: 2019 Global Inventory of Organised Social Media Manipulation”; Fallis, “A Conceptual Analysis of Disinformation”; Rid, Active Measures: The Secret History of Disinformation and Political Warfare. 373 Cabinet Office of the United Kingdom, “The National Security Strategy of the United Kingdom: Update 2009,” 103 para 7.41. 374 See the discussion of extraordinary measures and risk management in chapter three. 375 Cabinet Office of the United Kingdom, “The National Security Strategy of the United Kingdom: Update 2009,” 103 para 7.43. 376 Cabinet Office of the United Kingdom, 105 para 7.54.


132

relation to cyber-enabled threats, will be examined in relation to the rising threat of disinformation

in chapter six.

2010: A Strong Britain in an Age of Uncertainty: National Security Strategy

The 2010 National Security Strategy (henceforth “the 2010 Strategy”) speaks in the foreword of

the vulnerabilities of increasingly networked and open societies.377 In terms of identifying the

primary and grave threats to the security of the UK, cyber[space] is second only to terrorism,

followed by “chemical, nuclear, and biological weapons as well as large scale accidents or natural

hazards...”378 There is also an explicit recognition of the dangers posed to the state by non-state

actors, an important divergence from traditional understandings of danger at the systemic level –

the continued focus on the threat of terrorism dovetails with this expansion of hostile actor

identification. The 2010 Strategy was published simultaneously with the Strategic Defence and

Security Review, which details the methods of dealing with the current and future threats examined

in the 2010 Strategy, and which will be the focus of the subsequent section.

Following severe criticisms of the prior Administration’s handling of both the national budget and

various national security matters – “in an age of uncertainty, we are continually facing new and

unforeseen threats to our security…the last Government took little account of this fact” – the

2010 Strategy identifies clearly the national security priorities of the incoming Administration, with

terrorism and cyber taking priorities 1 and 2, respectively.379 There is an overt acknowledgement

that British interests are best served by continued international engagement, namely as a member

of the European Union (EU) and a permanent (P5) member of the United Nations Security

Council (UNSC). Alliances and alliance networks also feature in the introduction to the ‘Age of

Uncertainty,’ so-called due to the modern era of rapidly transforming and proliferating threats.380

In line with the discussion from chapter three and what we would expect to see when a threat is

being elevated, the introductory material of the 2010 Strategy contains a discussion of the

importance of identifying risks and engaging in risk management to prevent those risks developing

into crises. Accordingly, the 2010 Strategy is claimed to be the first such document produced

377 Cabinet Office of the United Kingdom, “A Strong Britain in an Age of Uncertainty: The National Security Strategy” (The Stationery Office, 2010), 3, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/61936/national-security-strategy.pdf. 378 Cabinet Office of the United Kingdom, 3. 379 Cabinet Office of the United Kingdom, 4–5. 380 Cabinet Office of the United Kingdom, 3.


133

alongside a prioritisation framework and capabilities assessment in pursuit of a holistic view of the

UK’s potential to achieve the state’s defence and security goals.

Threats and Drivers

While the “top priority” is identified as “countering the threat from terrorism at home and

overseas,”381 there is an adoption of the concept of resilience as an aspirational description of what

British security should look like. Cyber-attack is identified as the second highest-priority risk to

UK national security. However, it is tied to terrorism as a potential tool for terrorist attackers.382

While there is no doubt significant danger involved in terrorist use of cyberspace, to tie the inherent

risks of cyberspace to the risk of terrorism is to fail to consider the variety and severity of risks

and threats possible in, and through, cyberspace beyond the range of terrorist acts. While there is

an extensive focus on the risks of terrorism and insurgency, with particular focus on Afghanistan

as an example of instability and insurgent warfare and Al-Qaeda as a direct threat, a significant

development in the 2010 Strategy is the first appearance of the term ‘hostile espionage activity’ in

the same section as ‘cyber-attack.’383 While there is an either/or format utilised in the examination

of these two interrelated risks, one can infer a growing acknowledgement of the (potential)

connection between the two, itself a minor elevating act for future riskification and risk

management. Importantly, there is a specific articulation of the multiplying effect of cyberspace

on the dangers and potential consequences of (foreign, hostile) espionage activity.384 There is a real

need here, if implicit, for cyber counterintelligence to evolve in response to the force-multiplication

and geographic reduction effects of cyberspace as a location of intelligence collection and

exploitation operations. In terms of elevating both the risks of cyberspace and the importance of

CCI, this is an important continuation on the elevation process begun in the ’09 Update. This

signals a continuity of conceptual and strategic development, as well as an elevation of the

perception of the risk.

The 2010 Strategy does note a lack of specific “existential threat to…security, freedom or

prosperity,” which is a clear statement against the genuine securitisation of any issue, but in context

of the discussion of identified (less than existential) threats to British security is taken as evidence

of advanced riskification of those identified threats and drivers.385 In combination with the

381 Cabinet Office of the United Kingdom, 9 para 0.7. 382 Cabinet Office of the United Kingdom, 11 para 0.18. 383 Cabinet Office of the United Kingdom, 14 para 1.5. 384 Cabinet Office of the United Kingdom, 14 para 1.9. 385 Cabinet Office of the United Kingdom, 15 para 1.11.


134

recognition that access to the Internet (and social networking sites in particular) are allowing

geographically disparate groups to coalesce over relevant issues and exert influence over

‘international governments and organisations,’ one potential inference is that while psychological

dangers to democratic audiences are not overtly acknowledged to be engendered by adversarial

operations, the possibility exists for those operations to affect decision-making and policy-making

capacity.386

There is also a subtle identification of the importance of counterintelligence in the recognition of

hostile intelligence-gathering activities and cyber-attacks, as well as the potential of malign

influence operations, though I note that this is a qualitative inference based on documentary

context.387 Paragraph 1.32 states that the adversaries faced by the UK “will change and diversify as

enemies seek means of threat or attack which are cheaper, more easily accessible and less

attributable than conventional warfare. These include gathering hostile intelligence, cyber-attack,

the disruption of critical services and the exercise of malign influence over citizens or

governments.”388 This is an important initial recognition of the intent of malicious actors to affect

audience psychology, and CCI is needed to both identify these influence campaigns, subvert them,

and identify the adversaries undertaking them. It also builds upon a similar recognition in the ’09

Update that the UK is subject to hostile intelligence-gathering activity, of which a significant

percentage is undertaken through cyberspace.389 This is an important element of the continuous

elevation of threat by the British government in relation to cyberspace. While no one event has

occurred which could be used as a securitising act, there is an increase in threat perception which

is communicated through the evolution in language throughout the national security

documentation thus far. As discussed in chapter three, there has been a gradual discursive

riskification, which requires risk management measures; there has not yet been a securitisation,

which requires more direct mitigation.

Interestingly for intelligence-gathering and counterintelligence in cyberspace, the 2010 Strategy

explicitly identifies the free flow of information on the Internet as crucial to the British information

economy and as such to the general (national) interest of the UK, without noting or recognising

the potential drawbacks of that same free flow of information; namely, the free flow of

disinformation and foreign propaganda. The rise and dangers of disinformation will be considered

386 Cabinet Office of the United Kingdom, 16 para 1.21. 387 Cabinet Office of the United Kingdom, 18 para 1.32. 388 Cabinet Office of the United Kingdom, 18 para 1.32. 389 Cabinet Office of the United Kingdom, “The National Security Strategy of the United Kingdom: Update 2009,” 66 para 6.8.


135

further in chapter six, following the chapter five definition, typology, and examination of cyber

counterintelligence. The identification of the ‘real and present threats’ of terrorism and cyber-

attack speak more to the elevation of (critical national) assets than to the security and integrity of

information to which the public has access, despite the statement and examination of a risk

identification, prioritisation, and management framework as would be expected according to the

threat elevation framework.390 According to the 2010 Strategy, this framework will help to

“prioritise the risks which represent the most pressing security concerns in order to identify the

actions and resources needed to deliver our responses to these risks,” which is a perfect

representation of a riskification process and the elevation of identifiable risks to security into a

management framework.391

Unlike the ’09 Update, where cyberspace is considered a domain in which national security threats

can arise, but is not a threat in and of itself, in the 2010 Strategy, cyberspace is the second-ranked

Tier 1 threat (following terrorism).392 While elevation theory does not recognise the validity of

speaking a threat into existence as in traditional securitisation theory, between the ’09 Update and

the 2010 Strategy there is nonetheless an elevation of the relative threat level of cyberspace to a

genuine national security threat. This inference is strengthened by the acknowledgement in the

2010 Strategy that the UK must “take action precisely to prevent risks that are in Tier Two or

Three from rising up the scale to become more pressing and reach Tier One,” thereby recognising

the substantially higher threat profile of cyberspace from one Strategy to the next. The tiered threat

matrix aligns with the elevation framework proposed in chapter three,393 and introduces the

advanced risk management processes intended to stabilise cyberspace according to UK

requirements.

This is the clearest indication yet that states approach risk and threat recognition in a structured,

tiered way, as suggested by threat elevation analysis. The UK has created a native version of the

threat elevation pyramid; even though threat elevation analysis is designed for post hoc examination

of threat recognition and related policy decisions, the similarities between the threat elevation

analysis framework and the UK version suggest that threat elevation analysis could also be

developed for prescriptive use. Despite the status of cyberspace as a Tier One threat, there is no

further evidence to indicate a successful securitisation of cyberspace such that extraordinary

390 Cabinet Office of the United Kingdom, “A Strong Britain in an Age of Uncertainty,” 25 para 3.1. 391 Cabinet Office of the United Kingdom, 26 para 3.13. 392 Cabinet Office of the United Kingdom, 27. 393 Cabinet Office of the United Kingdom, 28.


136

powers of mitigation can or should be claimed. The continued focus on the link between terrorism

and cyberspace obscures the variety of alternative threats that cyberspace has the potential to both

represent and transmit, but without a significant elevating event or claim by the UK government.

So, according to threat elevation theory, cyberspace in the UK was successfully riskified by this

point, though heavily weighted toward systems and infrastructure rather than holistically.

Significantly, there is a differentiation in the 2010 Strategy between risks and threats, with the

expected terminology (according to threat elevation analysis) of mitigation and management

utilised: “…preventing and mitigating the Tier One risks are the top priority ends of the

Strategy.”394

2010: Securing Britain in an Age of Uncertainty: The Strategic Defence and Security Review

The Strategic Defence and Security Review that accompanied the 2010 National Security Strategy

(published at the same time as the 2010 Strategy) is intended to outline the means and ways of

enacting and securing the national security priorities identified in the 2010 Strategy. The Foreword

of the 2010 Strategic Defence and Security Review (hereafter the “2010 SDSR”) once more

confirms the threat to the national security of the UK from terrorist actors, though for the first

time starts to expand the discussion of terrorism into the drivers of radicalisation and the

importance of counter-radicalisation measures. In addition to announcing the creation of the

National Security Council,395 the Foreword takes up the concept and framework of national

resilience in broad terms, a continuation of the trend seen in the 2010 Strategy. Importantly for

the examination of the threat elevation of cyberspace in the UK, the 2010 SDSR also recognises

the increasing risk of cyberspace to UK national security and prosperity, a promising development

so early in the document.396

While much of the 2010 SDSR is taken up with a discussion of the national defence and security

budget, and the necessity and means of bringing it to a more controllable and responsible state,

there is also an early acknowledgement of the continued importance of counterterrorism, a

comparatively early occurrence next to prior national security documents. At approximately twice

the length of the 2010 Strategy (76 pages to 37), the 2010 SDSR provides more of the tactical,

operational statements, purposes, and methods of achieving the national security priorities. The

394 Cabinet Office of the United Kingdom, 31 para 3.45; 33 para 4.09. 395 Cabinet Office of the United Kingdom, “Securing Britain in an Age of Uncertainty: The Strategic Defence and Security Review” (The Stationery Office, 2010), 3, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/62482/strategic-defence-security-review.pdf. 396 Cabinet Office of the United Kingdom, 4.


137

early identification of terrorism as a security threat is consistent with prior strategies, and the

accompanying recognition of the threat potential of cyberspace indicates the acknowledged

increase in threat assessment. That it appears alongside a high-tier threat such as terrorism in the

foreword to national security documentation is a clear indication of a considerable elevation of

perceived risk or threat.

Threats and Drivers

The concept of resilience appears early in the 2010 SDSR, contained within the ‘National Security

Tasks and Planning Guidelines’.397 Despite this, and consistent with previous national security

documentation, while the SDSR does not explicitly define resilience, p.13 does provide a short

description of what resilience looks like as a deliverable, which is the provision of “resilience for

the UK by being prepared for all kinds of emergencies, able to recover from shocks and to

maintain essential services.”398

There is also early encouragement for the development of counterterrorism and cyber security

measures; the contiguous placement of these two threats is a strong indication that the perception

of cyberspace as a threat vector has significantly increased in the UK since the publication of the

2008 National Security Strategy, and that cyber security might receive similar attention as does

terrorism in terms of countermeasures and funding. This SDSR also begins to emphasise the use

and importance of the state intelligence services and assets in relation to national security.

Nonetheless, as expected according to the nature of intelligence services and assets, there is little

discussion or examination of those services and assets. However, their mention and

acknowledgement are an important development for the elevation of cyber-based or -enabled

threats, particularly in terms of the importance of the intelligence services in both active and

proactive counterintelligence in cyberspace. While no overt link is made between the importance

of the intelligence services and the acknowledged risk of cyberspace, the fifth guideline articulated

in the National Security Tasks and Planning Guidelines identifies the necessity of using the

intelligence services to protect the UK against both “physical and electronic threats from both

state and non-state actors.”399

While there is a subsequent explicit link made between the intelligence services and protecting the

UK against terrorist threats specifically, once more associating terrorism and cyberspace without

397 Cabinet Office of the United Kingdom, 9. 398 Cabinet Office of the United Kingdom, 13 para 7. 399 Cabinet Office of the United Kingdom, 12.


138

consideration of alternate threats, this is an important development in conceptual understanding

of the operational context of cyberspace. Here we see further evidence of the progressive and

consistent threat elevation of cyberspace as a risk to the national security of the UK. That this is

occurring in parallel to the growing recognition of the role and necessity of the intelligence

community in the protection against such risks is implicitly indicative of both the requirement and

the practice of CCI. Where cyber security concerns the overall defence of cyberspace, and cyber

defence concerns the protection of networks, cyber counterintelligence is (at least in part) about

the defence of information and tracking those who attempt to appropriate and exploit that

information through cyber-enabled means. It is also proof that political concerns often undergo

an incremental increase in threat perception based on the relationship between parties and

evidence of danger, rather than being spoken into existence (as with traditional securitisation).

Interesting for this thesis is the characterisation of the use of ‘cyber’ as an asymmetric tactic, and

that future conflict spaces will require resilient communications; the inference here is that future

communications, as well as conflict between hostile parties, will take place at least in part on or

through cyberspace, and that it may be difficult to mitigate or respond given the asymmetric nature

of cyber-attacks or exploits.400 The linking of cyberspace to resilience is an interesting development

in that it indicates an acknowledgement that true security in cyberspace is an unreasonable goal,

given the profusion of potential adversaries and increasing variety of threat vectors and

vulnerabilities. This section also sees the first use of the term ‘cyber operations’ as a unique activity,

which speaks to both recognition of adversarial movement in cyberspace and, potentially, to the

ability of the UK to undertake such operations and activities.401

The 2010 SDSR describes an overarching adaptable strategic posture, one specific aspect of which

is how to “manage the risks” to the national security of the UK, which aligns perfectly with the

expected path of elevation according to the threat elevation framework offered in this thesis.402

Management of risks in order to prevent further elevation (securitisation) of that risk to the level

of a true threat to national security that would require extraordinary measures should be the

operative goal of any national security strategy; the ultimate aim of such management is the

attenuation of that risk (or threat), such that it no longer requires additional (or, in the best case,

continuing) mitigation, management, or other-than-ordinary consideration. There is an extended

400 Cabinet Office of the United Kingdom, 16. 401 Cabinet Office of the United Kingdom, 17. 402 Cabinet Office of the United Kingdom, 19 para 2.16. For a discussion of threat elevation analysis, see chapter three.


139

examination of Defence Force posture and capacity, expected for a Defence and Security Review;

notable is the emphasis on intelligence capability throughout.

The 2010 SDSR also announces the creation of the Defence Cyber Operation Group (DCOG),

which represents a cross-government approach and the integration of capabilities across both

cyber and physical space.403 This is a significant development in terms of the threat elevation

analysis framework, which posits the creation of a specific agency or group as an elevating event,

given that such a creation could only occur if the subject of that agency or group had been

acknowledged as significant enough a risk or threat that a dedicated team is required.404 Given the

consistency of incremental elevation of concern in previous Strategies, it is fair to assess the

creation of the DCOG is an elevating act that finalises the (successful) riskification of cyberspace

as a threat vector. A dedicated agency or group is an explicit measure of risk management. It is

worth noting that despite the creation of a dedicated team within Defence that is intended to

represent a cross-government approach, there is an ongoing confinement of cyber threat as

pertinent to systems and data. There is no recognition that there exists a threat to democratic

audiences (people and decision-making) as there is to assets, which are explicitly recognised as

being vulnerable in each of the national security documents thus far analysed.

In relation to the development and understanding of CCI, observations are only possible through

inference. In addition to the presumably classified nature of assets and methods, there is at best a

nascent link between the existence and vulnerabilities of cyberspace and the function and

operation of the intelligence services, at least in the public domain as represented by the national

security documentation selected for analysis in this thesis. There is an articulation in the SDSR

discussion on science and technology of the uses of unmanned aerial vehicles (UAVs) and

surveillance technologies designed to inhibit the ability of hostile actors to move in secrecy,405 but

considering the overall focus on the threat of terrorism throughout the UK national security

documentation, it is inferred that this is more in reference to counterterrorism and counter-

insurgency operations than in cyberspace. Regardless, it is an important acknowledgement (if

implicit) of the importance of counterintelligence to operational and national security. The 2010

SDSR does articulate the “implications of the Strategic Defence and Security Review for

intelligence,” and though the overriding focus remains on terrorism as a threat, there is also an

acknowledgement of the intelligence agencies providing a “sufficient technical platform for the

403 Cabinet Office of the United Kingdom, 27 para 2.A.15. 404 See the “Extraordinary Measures” discussion in chapter three. 405 Cabinet Office of the United Kingdom, “Securing Britain in an Age of Uncertainty,” 28 para 2.A.16.


140

cyber security program.”406 There is another implicit reference to CCI capabilities and requirements

in the subsequent section in reference to communications interception, but, again, is only in

relation to counterterrorism operations.407 The focus on the technical aspects of CCI without

contemporaneous recognition of the human factor is at least consistent, though a serious oversight

in terms of continued democratic integrity and the desired national resilience of the UK.

Unlike previous national security documents, the 2010 SDSR has a significant section on cyber

security, extending across three pages.408 The discussion of cyber security is entwined with the

utility of cyberspace to British national interests, and here we see the use of new terms specific to

the examination of cyberspace and cyber security, including cyber infrastructure (further focus on

assets and infrastructure) and cyber products/services (in relation to aforementioned assets and

infrastructure).409 Further links are also made between the concept of national resilience and the

cyber domain, identifying so-called ‘vital networks’ as being critical to the security and interests of

the UK. Where the DCOG was created in order to “mainstream cyber security throughout the

Ministry of Defence and ensure the coherent integration of cyber activities across the spectrum of

defence operations,”410 the SDSR also announces the creation of the Cyber Infrastructure Team

within the Department for Business, Innovation and Skills,411 and the Office of Cyber Security and

Information Assurance within the Cabinet Office412, which are intended to secure the integrity of

cyber-related infrastructure and digitally created and stored information, respectively. This is

further clear evidence of the riskification of cyberspace and cyber-enabled adversarial activity, but

also continues the focus on assets and infrastructure while failing to recognise the vulnerability of

the British public to cyber-enabled operations intended to influence or affect their decision-making

and behaviour.

2015: National Security Strategy and Strategic Defence and Security Review: A Secure and

Prosperous United Kingdom

The 2015 iteration of the National Security Strategy of the United Kingdom also contains the

‘2015 Strategic Defence and Security Review’, where the 2010 iterations were published as separate

documents. The foreword of the 2015 Strategy and Review (hereafter “2015 NSS/SDSR”) makes

406 Cabinet Office of the United Kingdom, 43. 407 Cabinet Office of the United Kingdom, 44 para 4.A.5 point 5. 408 Cabinet Office of the United Kingdom, 47–49. 409 Cabinet Office of the United Kingdom, 47. 410 Cabinet Office of the United Kingdom, 47 para 4.C.3 point 3. 411 Cabinet Office of the United Kingdom, 48 para 4.C.3 point 4. 412 Cabinet Office of the United Kingdom, 49 para 4.C.3 point 8.


141

an immediate link between the economic security of the UK and its national security. Following

the 2010 documents, which identified the economic imbalance and undertook to address that

imbalance, it is unsurprising that a similar emphasis appears in the subsequent documentation.

There is also an early recognition of the danger of cyber-attacks relative to previous iterations,

appearing on the first page of the foreword of ‘A Secure and Prosperous United Kingdom’.413 Also

in the foreword is a strong recognition of the importance of the work of the intelligence and

security agencies – while this is once more closely related to the counterterrorism mandate, it is

the earliest articulation of their work and purpose of the national security documents thus far

analysed.414 Also consistent with previous documents is the reliance on the concept of national

resilience as an aspirational characteristic of British security.

While the primary security threat to the UK is still identified as terrorism, in the 2015 NSS/SDSR

cyber security and the status of the UK as a world leader in that field is a close second. This is

tightly linked to the goal of a resilient UK, though the specifics of resilience are once more left to

inference from context and general understanding.415 The 2015 NSS/SDSR identifies three

National Security Objectives which should drive the UK; “protect [British] people; protect [British]

global influence; promote [British] prosperity.”416 There is considerable emphasis on the global

nature of the UK, the relationships and influence it maintains and the relationships it would like

to build or strengthen in the future.417 Dovetailing that, however, is the recognition that state-based

threats are an increasing concern in the national security context, the direct specification of which

has been absent from previous documents.418 While state-based threats are often considered in

terms of military engagement, it is important to point out here that intelligence collection by states

takes place commonly and consistently. It is also likely to increase in the context of potential

conflict. In this respect, the recognition of state-based threats must also be a recognition of danger

beyond the militaristic: cyber security becomes more important in the general sense, and cyber

counterintelligence in the particular sense as state and citizens seek to protect their own data and

information from the adversary.

413 Cabinet Office of the United Kingdom, “National Security Strategy and Strategic Defence and Security Review 2015: A Secure and Prosperous United Kingdom,” 2015, 5, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/555607/2015_Strategic_Defence_and_Security_Review.pdf. 414 Cabinet Office of the United Kingdom, 6. 415 Cabinet Office of the United Kingdom, 10. 416 Cabinet Office of the United Kingdom, 11–12. Written in the Strategy as “protect our people; protect our global influence; promote our prosperity.” 417 Cabinet Office of the United Kingdom, 14. 418 Cabinet Office of the United Kingdom, 15.


142

Threats and Drivers

Terrorism is once more listed as the primary security concern of the UK, though in this document,

domestic extremism is specified as a related concern.419 Again, there is an explicit link between the

dangers of terrorism and cyberspace, the connection being the recognition that terrorist actors are

utilising social media platforms and networks for the diffusion of propaganda.420 While this is an

important link and has been the subject of significant research,421 the lack of development of the

threat elevation of cyberspace in terms of people beyond terrorist actors (both as a vector for

attack by adversaries and a vulnerability for the population, the audience) is a failing of the national

security conception of the UK in the documents analysed thus far. Chapter six will examine the

issue of audiences as security vulnerabilities more thoroughly, in the context of democratic integrity

and the rise of disinformation. The argument that will be developed there, and that I introduce

here, is that a holistic approach to national security is impossible to achieve unless the threat to

audiences is elevated to the same level as critical national infrastructure, and that CCI is crucial to

any such endeavour.

A more significant development in terms of elevating the risks of cyberspace is the greater

emphasis on the dangers of hostile intelligence activities by state actors than was seen in previous

iterations. The explicit identification of cyber operations undertaken as intelligence activities is

particularly noteworthy as it is the first time that the activities have been so overtly linked and

419 Cabinet Office of the United Kingdom, 15 para 3.3. 420 Cabinet Office of the United Kingdom, 16 para 3.8. 421 See Maura Conway et al., “Disrupting Daesh: Measuring Takedown of Online Terrorist Material and Its Impacts,” Studies in Conflict & Terrorism 42, no. 1–2 (February 1, 2019): 141–60, https://doi.org/10.1080/1057610X.2018.1513984; Christina Archetti, “Terrorism, Communication and New Media: Explaining Radicalization in the Digital Age,” Perspectives on Terrorism 9, no. 1 (2015): 49–59; Monika Bickert and Brian Fishman, “Hard Questions: How Effective Is Technology in Keeping Terrorists off Facebook?,” About Facebook (blog), April 23, 2018, https://about.fb.com/news/2018/04/keeping-terrorists-off-facebook/; Kurt Braddock and John Horgan, “Towards a Guide for Constructing and Disseminating Counternarratives to Reduce Support for Terrorism,” Studies in Conflict & Terrorism 39, no. 5 (May 3, 2016): 381–404, https://doi.org/10.1080/1057610X.2015.1116277; Adam Henschke and Alastair Reed, “Toward an Ethical Framework for Countering Extremist Propaganda Online,” Studies in Conflict & Terrorism, March 8, 2021, 1–18, https://doi.org/10.1080/1057610X.2020.1866744; Haroro J. Ingram, A Brief History of Propaganda During Conflict: Lessons for Counter-Terrorism Strategic Communications, ICCT Research Paper (The Hague: The International Centre for Counter-terrorism, 2016), https://books.google.com.au/books?id=XRWTAQAACAAJ; Rita Katz, “To Curb Terrorist Propaganda Online, Look to YouTube. No, Really. | WIRED,” October 20, 2018, https://www.wired.com/story/to-curb-terrorist-propaganda-online-look-to-youtube-no-really/; Alastair Reed, “IS Propaganda: Should We Counter the Narrative?,” The International Centre for Counter-Terrorism, March 17, 2017, https://icct.nl/publication/is-propaganda-should-we-counter-the-narrative/; Alastair Reed, “Counter-Terrorism Strategic Communications: Back to the Future, Lessons from Past and Present,” The International Centre for Counter-Terrorism, July 4, 2017, https://icct.nl/publication/counter-terrorism-strategic-communications-back-to-the-future-lessons-from-past-and-present/; Kent Walker, “Four Steps We’re Taking Today to Fight Terrorism Online,” Google, June 18, 2017, https://blog.google/around-the-globe/google-europe/four-steps-were-taking-today-fight-online-terror/; Amy-Louise Watkin and Joe Whittaker, “Evolution of Terrorists’ Use of the Internet,” Text, Counter Terror Business, October 20, 2017, https://counterterrorbusiness.com/features/evolution-terrorists%E2%80%99-use-internet.


143

acknowledged, a clear elevation of the risks associated with cyber-enabled intelligence collection

and exploitation capacities.422 While there is no explicit examination of the nature of the

intelligence activities thus far identified as having been conducted against the UK, the appearance

of the linked activities in the 2015 NSS/SDSR indicates that there is or will be a program of

counterintelligence activities undertaken though cyberspace as a response to identified foreign

action. This is a significant development in the acknowledgement of CCI as necessary to state

security and resilience, even if implicitly acknowledged. The noticeable increase in uses of the terms

‘management’ and ‘mitigation’ in terms of risks and threats to security is also in line with the threat

elevation framework offered in this thesis, showing a division of perceived levels of concern and

methods of response.423

Regular focus on the purposes and uses of the intelligence and security agencies in terms of the

way in which the UK will respond to Objective 1 (Protect Our People) is both in line with the

increasing requirement for assessment of ongoing and emerging threats in an era of rapid

transformation, and indicative of the methods by which the UK intends to manage these risks.

Two short paragraphs deal explicitly with the dangers posed to the UK by ‘hostile foreign

intelligence activity;’ though consistent with previous iterations of the national security strategy,

these sections are not developed in any significant way.424 Potentially more significant, with the

developing perception of the UK’s administration of the growing risks associated with cyberspace,

is the declaration that cyber-attacks (and presumably exploitation) would be treated with the same

gravity as would be ‘an equivalent conventional attack.’425

Missing from this declaration and the surrounding paragraphs is an exploration of what is meant

by the phrase ‘equivalent conventional attack,’ or indeed how equivalent measures for attacks in

the cyber and physical domains have been constructed. Without signalling to adversaries (or allies)

how exactly the UK government is assessing cyber-attacks, and by what measures they are judging

the gravity of these attacks, the 2015 NSS/SDSR leaves the intelligence and security services of

the UK, and the domestic audience and international allies of the UK without a yardstick by which

to assess whether treaty alliances may be called upon in the event of a serious attack. It is possible

that these signals or communications may have been broadcast by more covert means, or by simple

bilateral relations; it is, however, impossible to judge whether such events have occurred based on

422 Cabinet Office of the United Kingdom, “National Security Strategy and Strategic Defence and Security Review 2015,” 18 para 3.23. 423 Cabinet Office of the United Kingdom, 21. 424 Cabinet Office of the United Kingdom, 25–26. 425 Cabinet Office of the United Kingdom, 24 para 4.10.


144

open-source material. Given the global audience for cyberspace and cyber security-related

research, however, as well as the constantly evolving threatscape of the cyber domain and the

profusion of actors therein, I judge it unlikely that such communications have taken place. It is

outside the scope of this research to consider bilateral or multilateral communications in relation

to the development of cyber norms, laws, or rules of engagement.426 This makes it more difficult

to gauge whether this language is a further riskification, or an attempt at securitisation through

event (pre-emptive identification of elevating event). Equating a cyber-attack with a conventional

attack requires some sort of measure; there must be a designed equivalence matrix, both integrated

domestically and communicated (overtly or covertly) externally, to know whether such an event

serves to engage further risk management measures, or whether there would be an immediate

securitisation and implementation of mitigation measures. This would also decide whether active

or proactive CCI will suffice as a countermeasure, or whether cyber or kinetic offensive

countermeasures will be deployed. This is an issue with which the Tallinn Manual processes have

engaged, but international consensus has yet to be reached and the Tallinn 3.0 process is in the

planning stages.427

The Armed Forces are identified as having the responsibility of contributing to the defence and

resilience of the UK in cyberspace, a notably overt linkage between a publicly accessible domain

and a national military, which seems to be an implicit recognition of the explicit requirement of

both defensive and offensive capacities.428 Beyond even that, paragraph 4.44 of the 2015

NSS/SDSR not only identifies the exploitation potential of cyber-enabled information collection,

but the capacity of the UK to both protect networks and attack the networks of others:

Joint Forces Command will lead the MOD’s work to improve its understanding go our security environment, using new information technology and greater analytical power to exploit big data, social media and both open source and classified material. We will maintain our satellite communications and invest in

426 I note that there are international fora wherein such issues are discussed, such as the Tallinn Manual scholars and the United Nations Group of Governmental Experts (GGE) assigned to the cyber domain. However, there is also significant disagreement among States party within and beyond participants to these and similar fora. It is unlikely that such issues will be settled comprehensively or soon, and as such research in this field would be a valuable contribution to the creation of knowledge in this space. See Schmitt, Tallinn Manual on the International Law Applicable to Cyber Warfare; Schmitt and Vihul, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations; United Nations Office for Disarmament Affairs, “Group of Governmental Experts - Cyberspace,” United Nations Office for Disarmament Affairs, 2021, https://www.un.org/disarmament/group-of-governmental-experts/. 427 Schmitt, Tallinn Manual on the International Law Applicable to Cyber Warfare; Schmitt and Vihul, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations; See also NATO CCDCOE, “CCDCOE to Host the Tallinn Manual 3.0 Process,” CCDCOE, 2020, https://ccdcoe.org/news/2020/ccdcoe-to-host-the-tallinn-manual-3-0-process/. Types of CCI (passive, active, proactive) will be articulated in chapter five. 428 Cabinet Office of the United Kingdom, “National Security Strategy and Strategic Defence and Security Review 2015,” 40–41 paras 4.103-4.112.


145

cyber and space capabilities. We will protect our networks, and attack those of our adversaries if necessary…429

In terms of the development of CCI, this statement identifies explicitly the intent of the

Government to be able to exploit and thus, to collect significant quantities of data from the cyber

domain using new and emerging technologies. By definition, the capabilities will need to be

protected from the intelligence collection of adversaries in order to protect national security assets

(active CCI) and explicitly identifies attacking the networks of others – depending on the

circumstances of the event, this could be both/either proactive CCI or outright cyber-attack. What

this Strategy does not go on to develop is the point regarding the reversal of this capability or

intent in terms of the vulnerabilities of the British population to foreign intelligence collection

and/or psychological manipulation.

The 2015 NSS/SDSR also acknowledged the establishment of the Centre for Cyber Assessments

and the UK Computer Emergency Response Team (CERT), clear examples of both elevated

perception of risk and implementation of measures for management of and response to that

perceived risk.430 There is also an additional commitment to the creation of a National Cyber

Centre, under the leadership of the Government Communications Security Headquarters (GCHQ)

with the mandate of managing “future operational response to cyber incidents, ensuring that [the

Government] can protect the UK against serious attacks and minimise their impact,” and that all

British citizens have a role to play in the protection of “computers, networks and data.”431 The

proliferation of cyber-specific government units continues with the creation of an intelligence unit

dedicated to analysing and mitigating the criminal use of the dark web, elevating the perceived risk

to British interests of cyber-crime.432 Consistent with previous national security documents,

however, the strategic focus remains on the protection of assets (computers, networks and data)

over the users of those computers and networks and the producers of that (exploitable) data: the

audience. Without focusing on the psychological integrity of the audience, which will affect the

information integrity of the data they produce, as well as potentially affecting democratic behaviour

in terms of political decision-making,433 this is a one-sided approach to national resilience with

regards to cyberspace. There is a notable development in this strategy in relation to cyber education

429 Cabinet Office of the United Kingdom, 30 para 4.44. Edward Snowden revealed much of the GCHQ and Allied surveillance capacity, though the impacted programs belonged primarily to the NSA. See Greenwald, No Place to Hide: Edward Snowden, the NSA and the Surveillance State; Harding, The Snowden Files: The Inside Story of the World’s Most Wanted Man. 430 Cabinet Office of the United Kingdom, “National Security Strategy and Strategic Defence and Security Review 2015,” 40 para 4.104. 431 Cabinet Office of the United Kingdom, 41 paras 4.109-4.110. 432 Cabinet Office of the United Kingdom, 41 para 4.114. 433 This is something I discuss in Chapter six.


146

programs and funding for defence and cyber innovation and research,434 but this requires both

significant development, as well as a more near-future action plan to secure audience psychological

resilience to cyber-enabled threats.

2018: National Security Capability Review

Immediately noticeable in the 2018 National Security Capability Review (hereafter “the NSCR”)

is the recognition in the foreword of the document of the rise of cyber-attacks against the UK.

Placed directly after recognition of state-based threats to the liberal international rules-based order,

and prior to identifying the rise in homeland terrorist/extremist threats, this signals a change in

the government’s perception of the dangers posed by actors in cyberspace.435 This is an explicit

elevation in the perceived potential of cyberspace to present a danger to national security and

interests, but is more accurately categorised as a riskification than a securitisation, given that there

is no statement of existential threat or any sort of temporal justification for extreme measures of

threat mitigation, which would be required for a securitising move.

While the document neither revises existing principles nor introduces new ones, there is a

continued emphasis on British resilience to the existing and varied threats to national security,

continuing the movement from static defence strategies to risk mitigation and defensive resilience

of the last several strategies and national security documentation. In respect to those threats, the

NSCR does recognise two challenges faced by the UK that were not focused on in previous

documents: the growth of serious organised crime (SOC), and the potential of serious diseases to

affect the security of the UK.436 It is worth noting that there is a continued emphasis on and

recognition of extremisms and/or terrorism against the security of the UK. Against the backdrop

of recognised threats and the expansion of potential consequences of each, however, terrorism

and the dangers posed by extremism and supporters has dropped to more of an identified ongoing

risk. This requires long-term management more than special powers of mitigation, which should

necessarily be shorter-term than anything intended to manage an assessed long-term challenge like

(international or domestic) terrorism.

434 Cabinet Office of the United Kingdom, “National Security Strategy and Strategic Defence and Security Review 2015,” 74–78. 435 Cabinet Office of the United Kingdom, “National Security Capability Review” (The Stationery Office, 2018), 2, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/705347/6.4391_CO_National-Security-Review_web.pdf. 436 Cabinet Office of the United Kingdom, 5.


147

Threats and Drivers

The articulation of the growth of state-based threats presents an interesting devolution toward a

more combative international relations than has necessarily been the case for several decades,

through the identification of historically hostile entities (such as the Russian Federation) as

upcoming threats to the national security of the UK; this is in line with the expectations of threat

elevation theory.437 Having a record of hostile or combative interactions with Russia’s prior

incarnation, the Soviet Union (USSR), the UK is able to successfully identify and riskify action

taken by Russia, and to adequately marshal resources for resilient defence against a known risk and

rising threat. That the Russian Federation is also singled out during the NSCR articulation of the

technological and/or cyber threats to the UK is telling: the UK may not anticipate more traditional

kinetic attacks from Russia, but have identified the cyber domain as the most likely vector for

current and forthcoming attacks from the identified hostile party.438 Certainly, the use of the phrase

“Hostile State Activity” is a concerning indication of the UK’s perception of Russian action and

intent in cyberspace and represents an elevation of the language used to identify potential threat

actors.439

The short discussion of ‘counterespionage powers’ on p.8 of the NSCR is the most explicit

reference to counterintelligence requirements or responsibilities in any of the national security

documentation thus far analysed for the UK.440 It is notable that the reference of counterespionage

powers used is in the context of human agents entering and/or operating within the UK that may

be a threat to British national security, but considering the apparent reluctance to identify

counterintelligence in explicit terms prior to this NSCR, which is a significant step.441Again,

Russian agents and diplomats are explicitly identified as elements of specific concern.442 The

strengthening of cyber defences and the development of space technologies for the purposes of

individual and collective self-defence is noted in the same section, though removed enough so as

not to relate directly to the importance or practice of (cyber) counterintelligence in those same

sectors.443 Investment in the defence, intelligence agencies, counterterrorism, and cyber sectors is

also stated,444 linking the dangers of terrorism and cyber, in particular, with deterrence. The UK

framework for national security identified and outlined in SDSR 2015 continues to guide national

437 Cabinet Office of the United Kingdom, 6. 438 Cabinet Office of the United Kingdom, 6. 439 Cabinet Office of the United Kingdom, 6. 440 Cabinet Office of the United Kingdom, 8. 441 Cabinet Office of the United Kingdom, 8. 442 Cabinet Office of the United Kingdom, 8. 443 Cabinet Office of the United Kingdom, 8. 444 Cabinet Office of the United Kingdom, 9.


148

security policy in the NSCR 2018, with three overarching objectives: i) protect [the British] people,

ii) project [British] global influence, and iii) promote [British] prosperity.445 It is worth noting that

in identifying what each of these goals mean (in short), much of the discussion links back to both

the traditional concept of territorial defence, but also to the importance of infrastructure in

protecting the British way of life. It also becomes a multi-sectoral risk elevation analysis, as ‘way

of life’ includes both the society/identity and economy sectors, to say nothing of political and

military (defence) sectors. While it can be assumed that the ‘way of life’ very much involves the

British citizenry, there is no indication of any intent to educate the British public about threats

emanating from cyberspace, nor the ability or capacity to protect themselves from undue influence

resulting from (so-called) hostile state activity conducted through cyberspace and/or cyber-

enabled technologies. This is a concerning indication that there is a lack of formal (or any)

recognition that the audience in a democracy is vulnerable to foreign interference through cyber-

enabled information warfare, and as such are a threat vector for democratic governments. The

audience needs to engage in individual CCI practices, which will contribute in aggregate to national

security. They also need to be made aware of, and educated about, foreign interference through

psychological manipulation such as disinformation campaigns. This will be discussed further in

chapter six in a short vignette considering a successful elevation of the foreign interference threat

to audiences, with regard to the practices of the Swedish government. The Swedish administration

has recognised disinformation as a threat and the audience as vulnerable, and engaged in

appropriate countermeasures which I will cover in due course.

Terrorism and counterterrorism remain cornerstone issues for British national security, which is

both understandable and expected following London stabbing and vehicle attacks and Manchester

concert bombing – recall from chapter three that according to threat elevation analysis, in addition

to events themselves being elevating acts, the legitimacy of threat elevation processes require

(historical) evidence.446 An interesting aspect of the discussion surrounding the UK

445 Cabinet Office of the United Kingdom, 9. 446 BBC News, “Parsons Green: Underground Blast a Terror Incident, Say Police,” BBC News, September 15, 2017, sec. UK, https://www.bbc.com/news/uk-41278545; BBC News, “Manchester Arena Blast: 19 Dead and More than 50 Hurt,” BBC News, May 23, 2017, sec. Manchester, https://www.bbc.com/news/uk-england-manchester-40007886; Danny Boyle, Chris Graham, and David Millward, “Finsbury Park Mosque Attack Latest: Theresa May Vows Hatred and Evil Will Never Succeed as Labour Warns of Rise in Islamophobia,” accessed May 15, 2021, https://web.archive.org/web/20170621045319/https://www.telegraph.co.uk/news/2017/06/19/finsbury-park-mosque-latest-terror-attack-london-live/; CBS News, “UK Police: 22 Confirmed Dead after Terror Incident at Ariana Grande Concert,” CBS News, May 23, 2017, https://www.cbsnews.com/news/ariana-grande-concert-manchester-arena-explosion/; Lizzie Dearden and May Bulman, “Isis Claims Responsibility for London Terror Attack,” The Independent, June 4, 2017, https://www.independent.co.uk/news/uk/home-news/london-terror-attack-isis-claims-responsibility-borough-market-bridge-a7772776.html; Vikram Dodd, “Palace Terror Suspect Was


149

counterterrorism strategy is the stated intent to make “the internet as hostile an environment as

possible for terrorists to use for propaganda, and ensure we have the critical access we need to

information on their communications.”447 At a minimum, this indicates an existing practice of

active CCI, and, depending on the measures utilised, could potentially mean the use of proactive

CCI operations. The typology of cyber counterintelligence will be discussed in the next chapter.

While these elements are very specifically linked to terrorist use of the Internet, the capacity for

operationalising against one actor in cyberspace can just as well be turned to another; it is no great

leap to assume that this same concept is in play concerning state actors or organised (aligned or

non-aligned) groups or individuals active in the cyber domain. Regardless, it is confirmation that

the UK is moving (or has moved) beyond an active defence of ‘their’ cyberspace to more proactive

CCI in support of national security. Thus, here we see a direct connection between the gradual

elevation of cyberspace as an increasingly important risk to UK national security, and the increased

role and need for effective CCI to monitor, mitigate, and respond to these threats, particularly

against intelligence collection and exploitation in cyberspace.

Coverage of, and attention to, cyber security could certainly be extended; in the NSCR, only two

pages are dedicated specifically to ‘cyber’ issues;448 cyber-crime and cyber threats from hostile states

are dealt with in the same paragraph. There seems to be a general recognition that UK cyber

security has not kept pace with the variety and variance of threats, which is certainly a step in the

right direction. However, for all the consideration, personnel recruitment and training, and

commitment to education programs like Cyber Aware449 for businesses, a greater focus is necessary

on current professional and older generations for the ‘now’ cyber security, not just on the youth

Uber Driver Who Had Tried to Get to Windsor Castle,” the Guardian, August 31, 2017, http://www.theguardian.com/uk-news/2017/sep/01/buckingham-palace-terror-suspect-had-tried-to-get-to-windsor-castle; Vikram Dodd and Matthew Taylor, “London Attack: ‘Aggressive’ and ‘Strange’ Suspect Vowed to ‘Do Some Damage,’” the Guardian, June 20, 2017, http://www.theguardian.com/uk-news/2017/jun/19/several-casualties-reported-after-van-hits-pedestrians-in-north-london; Alexandra Ma, “Parsons Green: Details on London Underground Bomb,” Insider, September 18, 2017, https://www.businessinsider.com/parsons-green-london-underground-attack-bomb-not-worked-properly-experts-2017-9?r=AU&IR=T; Kim Sengupta, “The Final WhatsApp Message Sent by Westminster Attacker Khalid Masood Has Been Released by Security Agencies,” The Independent, April 28, 2017, https://www.independent.co.uk/news/uk/crime/last-message-left-westminster-attacker-khalid-masood-uncovered-security-agencies-a7706561.html; The Irish Times, “London Terror Attack: Who Was Khuram Shazad Butt?,” The Irish Times, accessed May 15, 2021, https://www.irishtimes.com/news/world/uk/london-terror-attack-who-was-khuram-shazad-butt-1.3109174. 447 Cabinet Office of the United Kingdom, “National Security Capability Review,” 19. 448 Cabinet Office of the United Kingdom, 21–22. 449 Cyber Aware is the British Government’s published advice to citizens on increasing cyber security and which particular steps can be taken, 3 of which involve password security – classified in this thesis as (individual) active CCI. See National Cyber Security Centre, “Cyber Aware,” Cyber Aware, 2021, https://www.ncsc.gov.uk/cyberaware/home. See also “The National Cyber Security Centre,” The National Cyber Security Centre, 2021, https://www.ncsc.gov.uk/.


150

for future cyber security. The use and concept of Active Cyber Defence (ACD) is an interesting

point of reference in terms of specific measures the UK is undertaking, claiming to block “tens of

millions of attacks every week”.450 While there is no specification of what ACD might actually

comprise, it does appear to closely resemble what I have called active CCI,451 perhaps even

proactive CCI given the stated reduction in time that phishing websites are online.452 The

encouragement for industry and global partners to follow suit in implementing such measures that

make cyber-crime “more risky” does indicate a more aggressive, offensive approach to cyber

defence than has previously been observed.453 This is both a clear elevation in threat perception of

cyberspace comparative to previous strategies (indicating continuous evolution of strategic threat

perception), and a clear elevation of the necessity for active defence and countermeasures in

cyberspace. While the audience has yet to be developed as either vulnerable to foreign interference

or as a threat vector, language like that used to describe ACD lends credence to the typologies of

CCI I offer in chapter five, particularly in relation to active and proactive operationalisation, as

well as the strategic vs. tactical view on CCI. Throughout the section on cyberspace, as well as the

entirety of the NSCR, the concept of resilience underpins the strategy of the UK in terms of

defence. The ongoing commitment to infrastructure investment and education of technical

operators is a good first step, but further involvement in public education in and employment of

CCI is critical to ensuring the success of the current British system of democracy.

Analysis: Cyber Security Strategies

This section analyses the three cyber security strategies the UK has so far released, covering the

periods 2009-2011, 2011-2015 and 2016-2021. While there are considerably fewer strategic policy

frameworks for cyber security than there are general national security, given their more specialised

nature, these three documents presented a more detailed analysis of cyberspace as a threat vector.

Additionally, they contained a more developed framework for countermeasures and response to

risks and threats in relation to cyberspace than were present in the national security strategy

documentation detailed in the preceding sections.

450 Cabinet Office of the United Kingdom, “National Security Capability Review,” 21. 451 See chapter five. 452 Cabinet Office of the United Kingdom, “National Security Capability Review,” 21. 453 Cabinet Office of the United Kingdom, 21.


151

2009: Cyber Security Strategy of the United Kingdom: safety, security and resilience in cyber space

Released in tandem with the 2009 Update to the National Security Strategy,454 the 2009 Cyber

Security Strategy of the United Kingdom (hereafter “the 2009 CSS”) is the inaugural cyber security

strategy of the UK.455 This document, shorter than subsequent strategies at 26 pages including

appendices, lays much of the foundation that the 2011 and 2016 cyber security strategies build

upon. There is immediate recognition of the reliance of the UK on the continued and efficient

functioning of cyberspace, as well as the increasing reliance on cyberspace of all sectors of British

society. Particularly pertinent to this study is the acknowledgement that not only do cyberspace

and cyber-enabled activities “affect organisations, individuals, critical infrastructure, and the

business of government,”456 but the fact that it points out that “the UK needs a coherent approach

to cyber security, and one in which the Government, organisations across all sectors, the public, and

international partners all have a part to play.”457 Given that historically, national security is the realm and

remit of the sovereign state, the recognition of the British government that an effective approach

to security and resilience in cyberspace requires participation from multiple sectors of society

beyond the state itself indicates that both approaches to, and the practice of CCI, will be requisite

for security at individual, collective, and national levels. It is also an indication that to properly

riskify cyberspace and introduce management measures for that risk, the government will need to

appeal to a broad audience (i.e., the public) given the requirement for public participation in, and

contribution to, efficient cyber counterintelligence practices.

The strategic objectives of the 2009 CSS are laid out explicitly and early. The UK Government

“will security the UK’s advantage in cyberspace…by reducing risk from the UK’s use of cyber

space [sic]…and exploiting opportunities in cyber space… through improving knowledge,

capabilities and decision-making.”458 These are broad strategic objectives and set lofty goals but

given that this is the inaugural cyber security strategy of the UK and frameworks for cyber security

and resilience are nascent, this is not unexpected. Specifically because this is the inaugural cyber

security strategy, there is an excellent opportunity to assess the development of the UK’s threat

perception of cyberspace, as well as the approach to CCI and cyber-enabled threats from the outset

of official documentation.

454 Examined earlier in this chapter. 455 Cabinet Office of the United Kingdom, “Cyber Security Strategy of the United Kingdom: Safety, Security and Resilience in Cyber Space” (The Stationery Office, 2009), 4, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/228841/7642.pdf. 456 Cabinet Office of the United Kingdom, 3. 457 Emphasis added; Cabinet Office of the United Kingdom, 3. 458 Cabinet Office of the United Kingdom, 4.


152

Threats and Drivers

The 2009 CSS sets an immediate understanding of the increasing risks posed by cyberspace with

the creation of two new agencies in order to properly address the UK’s perceived cyber challenges;

the Office of Cyber Security (OCS), and the Cyber Security Operations Centre (CSOC).459 As

briefly mentioned previously, appearing as early as it does in the Strategy, the creation of two new

agencies is a clear and overt acknowledgement of the threat elevation of cyberspace by the

governing Administration of the UK. The 2009 CSS also contextualises the British approach to

cyber security and resilience by analogising the security of cyberspace in the 21st century with

maritime security and air security in the 19th and 20th centuries, respectively.460 The Strategy also

identifies the strategic goals specified as part of a ‘vision for cyber security’ that will require a cross-

government and whole-of-society approach in order to be effective and efficient.461 Paragraph 1.2

explicitly requires contribution to the ongoing security and resilience of cyberspace from multiple

sectors – “[t]his document is aimed at all those people who work, communicate or interact using

cyber space, and therefore have a responsibility for maintaining and improving its security; this

includes individual members of the public, organisations across all sectors, and the

Government.”462 This paragraph indicates that there is not only a recognition that cyber security

cannot be addressed by the sovereign state alone, but that there is an implicit acknowledgment

that CS and CCI practices will need to be undertaken by all sectors of society to contribute in

aggregate to the overall level of cyber resilience and security of the state as a collective.463

The 2009 CSS also offers a definition of cyberspace in the introductory chapter specifying that

“cyber space encompasses all forms of networked, digital activities; this includes the content of,

and actions conducted through digital networks.”464 This is a very broad definition. By specifying

the content of, and actions conducted through digital networks as ‘being’ cyberspace, the 2009

CSS inherently acknowledges that cyber-enabled information threats — like disinformation —

459 Cabinet Office of the United Kingdom, 5; p. 17 para 3.8. 460 “Just as in the 19th century we had to secure the seas for our national safety and prosperity, and in the 20th century we had to secure the air, in the 21st century we also have to secure our advantage in cyber space.” Cabinet Office of the United Kingdom, 5. 461 Cabinet Office of the United Kingdom, 7 para 1.1. 462 Cabinet Office of the United Kingdom, 7 para 1.2. 463 Where cyber security (CS) refers to the overall approach to the defence of cyberspace and connected networks, cyber counterintelligence (CCI) refers to the identification and subversion of adversary intelligence activity in and through cyberspace. CCI is defined in chapters two and five, and the relationship between cyber security and cyber counterintelligence is illustrated in Figure 1 The Elements of Cyber Security 464 Cabinet Office of the United Kingdom, 7. Note that where cyberspace is written as two separate words (cyber space), this is how the term is used in the 2009 CSS and I have preserved the official terminology in direct references to the text.


153

must be mitigated by the state. When combined with the insistence on cyberspace and cyber

security being whole-of-society responsibilities, I infer that cyber security and CI practices are

expected to be conducted at all levels – individual, group/corporate, and government; and that

disinformation is one cyber-enabled threat that must also be mitigated at all levels.

The definition also fundamentally links critical national infrastructure with the efficiency,

resilience, and security of cyberspace. The “physical building blocks of cyber space” are considered

to be individual computers (machine) and communications systems – this is a basic definition of

cyberspace and future iterations of national security documentation do have a more informed,

complex, and sophisticated understanding of the physical and virtual infrastructure of

cyberspace.465 Those building blocks, or “technical elements underpin many of our daily activities,

both at work and in our personal lives, and also fundamentally support much of our national

infrastructure and information.”466 This is an early indicator of the schism between recognition of

threats to infrastructure versus threats to audiences through cyberspace and cyber-enabled

technologies like social media platforms; the UK government recognises the danger to assets like

infrastructure and information, but does not develop that understanding further in terms of how

cyberspace and the information it is used to convey could be used to affect democratic audience

psychology and behaviour. The Strategy does reiterate the reliance of the UK on cyberspace in

relation to consumer transactions and individual communications and social media interactions,

but more in the sense of the technologies and efficiency of platforms than under any sense of

threats to perception and behaviour through information warfare or disinformation.467 Notably,

there is a unique appearance of the word ‘disinformation’ in the 2009 CSS in paragraph 2.6,

concerning state actor use of cyberspace; unfortunately that point is not developed any further,

and this is one of the analytical and knowledge gaps that this thesis seeks to address.468

There is also an identification of what the UK government means when the term ‘cyber security’

is used, though it is less a definition than a loose description of a concept – “[c]yber security

embraces both the protection of UK interests in cyber space and also the pursuit of wider UK

security policy through exploitation of the many opportunities that cyber space offers.”469

Interestingly, the point is made that cyber security is not considered an end in and of itself; it is

465 Cabinet Office of the United Kingdom, 7 para 1.5. 466 Cabinet Office of the United Kingdom, 7 para 1.5. 467 Disinformation as a CCI problem will be examined in the final chapter of this thesis. 468 Cabinet Office of the United Kingdom, “Cyber Security Strategy of the United Kingdom: Safety, Security and Resilience in Cyber Space,” 13 para 2.6. 469 Cabinet Office of the United Kingdom, 9 para 1.8. See also Figure 1 The Elements of Cyber Security, which illustrates the relationship between cyber security and cyber counterintelligence and neatly aligns with this general definition.


154

more of a process and something to work towards, which is perhaps where the emphasis on

resilience in this and subsequent cyber security strategies originates.470 In terms of the continuing

reliance on and use of cyber space and the Internet, paragraph 1.12 states that the free flow of

ideas and the openness of the Internet is a fundamental underpinning of, and way to strengthen,

democratic ideals and economic health.471 Given that there is a recognition of the use of

disinformation (even if explicitly by state actors only) in subsequent sections of the 2009 CSS, it is

surprising that no caveat is made for ensuring the accuracy and integrity of the information that

does flow through the open internet and across cyberspace. Recognition of that danger, and of the

consequent dangers to democratic integrity if audience psychology and behaviour are manipulated

through the use of information operations, is a necessary precursor to an efficient and holistic

approach to CCI, which will contribute to the aggregate cyber security of the state.472 Espionage is

also identified as a threat that can be undertaken through cyberspace, though little development is

given to this point.473 Related to espionage but also underdeveloped in the 2009 CSS is the

identification of ‘influence’ as an evolving threat to the UK – this is a specific danger to audience

psychology and potential manipulation of perception, whether that audience is officials of

government or the democratic public, but there is only one use of the word in the Strategy and the

point is once again not pursued further.474

The section of state actors explicitly identifies cyberspace as a threat vector for intelligence and

information operations, indicating at least a fundamental (if implicit) acknowledgment of the split

between assets and audiences in relation to cyberspace security and resilience:

The most sophisticated threat in the cyber domain is from established, capable states seeking to exploit computers and communications networks to gather intelligence on government, military, industrial and economic targets, and opponents of their regimes. The techniques used by these state actors go beyond “traditional” intelligence gathering and can also be used for spreading disinformation and disrupting critical services.475

I also infer from this the acknowledgements of the profusion of actors in cyberspace capable of

actuating damage to the state or its representative agencies. The caveat of the state being the most

sophisticated actor in cyberspace serves as an additional justification for the choice to focus on the

threat perception of the state and the threats to the state of disinformation and inefficient threat

470 Cabinet Office of the United Kingdom, 9 para 1.9. 471 Cabinet Office of the United Kingdom, 10 para 1.12. 472 CCI is examined in chapter five of this thesis. 473 “Industry partnerships - Case Study” Cabinet Office of the United Kingdom, “Cyber Security Strategy of the United Kingdom: Safety, Security and Resilience in Cyber Space,” 11; 12 para 2.4. 474 Cabinet Office of the United Kingdom, 12 para 2.4. 475 Cabinet Office of the United Kingdom, 13 para 2.6.


155

elevation. I note the specification by the 2009 CSS that “computer systems, networks and

applications all rely on people for their development, delivery, operation and protection.”476 This is

overt acknowledgement of the importance of the human factor in cyber security, and thus in CCI;

explicit identification of the audience as a crucial element in a resilience and secure cyberspace.

This point is not developed further in the 2009 CSS, a trend which continues in subsequent cyber

strategies. The separation of assets (as infrastructure and data) and audiences (as the democratic

public) is an inefficient approach to threat elevation and leaves the UK unprepared for concerted

psychological manipulation campaigns, which will be considered in the sixth chapter of this thesis.

2011: The UK Cyber Security Strategy: Protecting and promoting the UK in a digital world

The second cyber security strategy of the UK acknowledges early in the introduction that there is

a growing dependence on cyberspace, a situation that creates new risks.477 Consistent with the

more general national security strategies and reviews, the cyber security strategy (hereafter “the

2011 CSS”) links these news risks specifically to data and systems. Particularly relevant to this

thesis, one of the acknowledged concerns of the risk to critical data and systems is from hackers

and foreign intelligence services – this represents one half of the holistic elevation of cyberspace,

lacking still the focus on democratic audiences that would promote the resilience of British society

to foreign interference, including (and perhaps especially) through cyberspace, a point covered in

chapter six. Increasing the resilience and security of cyberspace is identified as part of the

overarching purpose of the 2011 CSS over the four-year term to 2015, followed almost

immediately by acknowledging the ‘new normal’ of cyber threat to the public.478 This is an

important acknowledgement of the role the public plays in terms of being targeted by cyber threats,

but the 2011 CSS remains heavily weighted toward consideration of the technical over the

human/psychological.

The 2011 CSS contains an explicit acknowledgement of the split between action and policy — that

which is unclassified and can be considered in the public domain, and that which is classified —

restricted to those personnel and Service members acting to ensure the resilience and security of

the state.479 Such a statement identifies that there is likely considerable development of policy and

476 Emphasis added; Cabinet Office of the United Kingdom, 14 para 2.9. 477 Cabinet Office of the United Kingdom, “The UK Cyber Security Strategy: Protecting and Promoting the UK in a Digital World” (The Stationery Office, 2011), 5, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/60961/uk-cyber-security-strategy-final.pdf. 478 Cabinet Office of the United Kingdom, 8–9. 479 Cabinet Office of the United Kingdom, 9.


156

methods being undertaken out of the public domain. We can infer that some of these policies and

methods will involve aggressive and possibly even offensive action against adversaries through

cyberspace and/or cyber-enabled technologies. The inherent unknowability of these elements does

not reduce the analytic observations of this thesis, given that much research and signalling occur

in the public domain, but this may prove to be an area of interest for future research.

Threats and Drivers

The 2011 CSS also provides an updated definition of cyberspace, modified from the 2009 Cyber

Security Strategy. According to the 2016 governing Administration of the UK, cyberspace is an

“interactive domain made up of digital networks that is used to store, modify, and communicate

information.”480 It also identifies cyberspace as a repository of knowledge and claims that access

to it strengthens open societies. The assertion about the free flow of ideas and information is an

interesting claim – while it is true that access to ideas and information can be a nett positive for

developing and developed nations, it is also true that this free access is also available to hostile

actors.481 An actor with a working knowledge of cyberspace, and particularly social networking

platforms, can use that access and flow of information to affect target populations, either directly

or by polluting the information ecology such that the integrity of the available information is

suspect or outright untrustworthy. This is the cyber era equivalent of ‘poisoning the well’.482

Following the explicit acknowledgement of the increasing value of cyberspace to the interests and

security of the UK,483 four cyberspace-specific classes of threat are identified: criminals, states,

terrorists, and hacktivists.484 The initial focus on the dangers of cyber criminals is consistent with

previous national security documentation, in that it is assessed to be against money, data, and

systems (assets), more than against the people that create and use said money, data, and systems.

There is also a development of threat understandings in section 2.5 of the 2011 CSS, wherein the

danger of foreign espionage in cyberspace is identified.485 This section specifically articulates the

spread of disinformation as a danger, though qualifies the danger as emanating from patriotic

480 Cabinet Office of the United Kingdom, 11 para 1.3. 481 Cabinet Office of the United Kingdom, 12 para 1.10. 482 ‘Poisoning the well’ originally meant to introduce doubt about the commitment to truth of a person making an argument, such that the audience might not trust what they say regardless of the factual accuracy of the discourse. In this context, I take it to mean introducing doubt about the integrity of the discourse itself (the information) to which the layperson or decision-maker has access, thus influencing the decisions they may make without exerting specific efforts against any single individual. For an examination of the poisoning the well fallacy, see D.N. Walton, “Poisoning the Well,” Argumentation 20, no. 3 (2006): 273–307, https://doi.org/10.1007/s10503-006-9013-z. 483 Cabinet Office of the United Kingdom, “The UK Cyber Security Strategy: Protecting and Promoting the UK in a Digital World,” 15 para 2.1. 484 Cabinet Office of the United Kingdom, 15–16 para 2.4-2.8. 485 Cabinet Office of the United Kingdom, 15 para 2.5.


157

hackers.486 While it is important both for this analysis and the overall threat conception of the UK

that such a danger has been identified and articulated, it is not enough to restrict the focus of the

defence and security forces to disinformation produced by patriotic hackers. Moreover, the

operating assumption here is that it will be possible to identify and isolate only those producers of

mis- and disinformation that were operating on the specific behalf or orders of state adversary.

This is simply not the case; disinformation can be produced and disseminated through both

internal and external actors and must be identified and recognised as a multi-vector risk. The

following section, 2.6, does identify the terrorist use of cyberspace to spread propaganda;487 again,

this is important but there need to be fewer restrictions on the parties identified as producing these

unique forms of information warfare. The danger of bounding a risk in this way is that alternate

actors may also be conducting such operations, and they may not be identified in time to manage

or mitigate, because the actors were not on ‘the list’ of accepted originators. While the risk has

been elevated, both the articulation and proposed management of that risk are problematic and

require further consideration.

The idea that cyberspace is important for the free flow of information and ideas is reiterated after

another articulation of the dangers posed to infrastructure and critical systems by cyberspace and

cyber-enabled technologies. Section 2.19 discussed the importance of cyberspace as a means for

the spread of ideas, specifically in the context of less-liberal states that attempt (and succeed at)

restricting civil liberties and access to cyber-enabled platforms.488 Once more, the alternative view

of the dangers to liberal societies of the free and relatively unrestricted flow of ideas and

information does not take into account that illiberal states can infiltrate false information and

subversive ideas into that flow of information just as easily (if not more so) as citizens of liberal

democracies. While the acknowledgement of the flow of information is important in terms of

analysing the spread of disinformation and the elevation of the audience in terms of cyber risk,

there is insufficient consideration of how that information is used and whether the integrity of that

information is assured or enforceable. The free flow of information is one thing; the accuracy and

consequences of the information stream is entirely another and has not been properly considered

in relation to the integrity of modern democracy or national security strategic thinking.

What the 2011 CSS does offer in terms of the elevation of the audience for cyber security is a

recognition that individual contributions to cyber security will increase the overall resilience and

486 Cabinet Office of the United Kingdom, 15 para 2.5. 487 Cabinet Office of the United Kingdom, 15 para 2.6. 488 Cabinet Office of the United Kingdom, 17 para 2.19.


158

security of the state, though this is a brief articulation at best.489 The employment of CCI practices

on the part of individual citizens and residents will reduce the overall vulnerability of British society

to the risks enabled or increased by cyberspace and cyber-enabled technologies, which makes it

doubly surprising that the importance of the (democratic) audience to ongoing resilience and

security in cyberspace has not been appropriately elevated. Despite this recognition, the

subsequent sections return to a focus on the importance and vulnerability of critical infrastructure,

reducing the elevation impact of the preceding recognition. The failure to appropriately consider

the audience aspect of cyber resilience and security will prevent a truly holistic and efficient

approach being possible.

The 2011 CSS announces the creation of the Defence Operations Group, as well as the Global

Operations and Security Control Centre within the Ministry of Defence, which will “act as a focus

for cyber defence for the armed forces.”490 While centralisation of focus will hopefully prevent

overlapping of mandate and jurisdiction issues, for the purposes of threat elevation analysis, the

creation of further agencies and groups is a good indication of recognised risks and management

intent. In designating an existing agency or creating one and mandating it with a new or emerging

problem, a government indicates recognition of the growing threat or importance of the problem

area. In selecting a method of countermeasure and an actor to engage in those countermeasures,

the state has acknowledged the elevated importance of that issue. In terms of how CCI might be

practiced by these new actors, the 2011 CSS uses the phrase ‘proactive measures’ in terms of the

Control Centre’s intent and capacity to disrupt threats to British information security.491 On the

face of it, this sounds like proactive CCI and could reasonably be inferred to involve proactive

pursuit of threat actors. Whether such action is in accordance more with the offered definition of

proactive CCI or simply active CCI is likely to remain classified for the foreseeable future. The

methods used by state actors for active cyber defence or proactive cyber defence will depend on

the context of the situation, as well as political feeling at the time. Moreover, and particularly in

relation to proactive CCI, it may be unclear where it ends, and offensive (retaliatory) measures

begin. This is an area of future research that will require considerable time and effort, considering

the national security impact of cyber methods and practices.

In terms of education and protection of the audience as a function of CCI, the 2011 CSS does

identify public awareness and the importance of best practice, as well as providing goals for

489 Cabinet Office of the United Kingdom, 22–23 para 3.8. 490 Cabinet Office of the United Kingdom, 26–27 para 4.9-4.10. 491 Cabinet Office of the United Kingdom, 27 para 4.10.


159

individual resilience and security in cyberspace – these all pertain to (simple) technical security,

without a recognition of cyber-enabled disinformation as something against which the individual

should guard, or a directive to be aware of information accuracy and integrity.492 Despite the earlier

mentions of disinformation (by patriotic hackers) and propaganda (by terrorists), the 2011 CSS

does not develop the understanding of these risks for the audience, nor the idea that those same

threats may in fact emanate from state actors as much as non-state actors. The potential risks to

the audience will be considered further in chapter six, along with an examination of success in

practice.

2016: National Cyber Security Strategy 2016 – 2021

The foreword of the most recent cyber security strategy of the UK acknowledges that cyber-attacks

are becoming more frequent, sophisticated, and damaging. It acknowledges that to ensure national

cyber security and resilience to the greatest possible degree, there is a requirement for a whole-of-

society capability that specifies and includes individuals. This is the most explicit identification yet

of the necessity of individual participation in the pursuit of national security and resilience in

cyberspace, as much an admission of the too-broad scope of cyber security as the

acknowledgement of individual importance. The 2016 Cyber Security Strategy (hereafter “the 2016

CSS”) identifies in the document preface the necessity of “managing and mitigating” threats –

consistent with previous national security documentation, however, there is a continued focus on

systems and data security despite acknowledging the place of the individual (the audience) in

practicing security.493 The recognition of a tiered process of risk management and threat mitigation

aligns closely with the framework of understanding suggested by elevation analysis, and, despite

the continued split focus in favour of technical systems over a holistic view of cyber security and

resilience, the natural development of the British national security documentation along the

framework of threat elevation is encouraging. We thus see not only the elevation of cyberspace

occurring, but also the increased need for CCI to play a role in responding to these threats.

The 2016 CSS contains an explicit admission of the UK owning the capability and “means to take

offensive action in cyberspace, should [the UK] choose to do so.”494 Given the contested nature

of cyberspace and the profusion of cyber-enabled technologies, it is unsurprising that developed

492 Cabinet Office of the United Kingdom, 31 para 4.37-4.39. 493 Cabinet Office of the United Kingdom, “National Cyber Security Strategy 2016-2021” (The Stationery Office, 2016), 7, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/567242/national_cyber_security_strategy_2016.pdf. 494 Cabinet Office of the United Kingdom, 9 para 1.5.


160

nations would pursue an offensive capability. For the UK to admit and publish this capability is

perhaps unusual, given the statements of previous national security documentation that

international law, the expectation of civility, and the importance of international partnerships and

relationships apply in cyberspace as in the physical realm; to admit an offensive capacity and a

willingness to use it is a strong signal to send.495 This is perhaps tied to the recognition of the

increasing vulnerability of the state to cyber-enabled exploitation, given the growth of cyber

physical systems like the Internet of Things (IoT) and the capacity of those devices to extend the

“threat of remote exploitation,”496 with the Strategy aiming “to increase cyber security at all levels

for [the] collective benefit [of the United Kingdom].”497

Threats and Drivers

In the 2016 CSS, cyber security is defined as “the protection of information systems, the data on

them, and the services they provide.”498 This definition is consistent with previous documents’

conception of cyber security and aligns with the general understandings of security and resilience

in cyberspace produced by the analysis of those documents. However, there is also room in this

definition for it to be applied to the human element in both cyber security and CCI practices.

While information systems and the data they contain are clearly meant to describe the ‘assets’ pillar

of the assets vs. audiences understanding of this analysis,499 the above definition also identifies the

services provided by those technical systems as necessitating security measures. This could be

developed into an understanding that cyber-enabled services and platforms like social networking

and massive communications sites need to be secured and made more resilient to interference to

protect the audience. While I judge it unlikely that this is the intended meaning of the definition,

there is definite scope for the broadening of the definition and thus the understanding of what

exactly cyber security is, or should look like, in the UK.

The 2016 CSS acknowledges a broadening of threat in cyberspace, identifying “an expanding range

of devices” as a specific vulnerability and specifying the IoT as creating new opportunities for

495 Though this is in line with an increased elevation and arguably securitisation of cyber security. The 2017 Australian International Cyber Engagement Strategy, for instance, was more explicit about Australia’s willingness to use offensive cyber capacities. Department of Foreign Affairs and Trade, “Australia’s International Cyber Engagement Strategy” (Australian Government, 2017), 54–55, https://web.archive.org/web/20180216140850/https://www.dfat.gov.au/international-relations/themes/cyber-affairs/aices/preliminary_information/introduction.html. 496 Cabinet Office of the United Kingdom, “National Cyber Security Strategy 2016-2021,” 13 para 2.4. 497 Cabinet Office of the United Kingdom, 14–15 para 2.10. 498 Cabinet Office of the United Kingdom, 15 para 2.11. 499 This will be examined in-depth in chapter six.


161

exploitation.500 While this is most likely an identification of the ways in which insecure devices can

be attacked, co-opted, or otherwise exploited, this is another area where an unbounded definition

could be interpreted as being permissive of measures intended to aid in the resilience and security

of audience psychology and decision-making capacity. Consistent with the 2011 CSS,501 the

particular threats identified in the 2016 CSS are cyber criminals; states and state-sponsored threats;

terrorists; hacktivists; and script kiddies.502 In addition to these, insiders are recognised as a threat

to national security.503

The 2016 CSS contains an interesting modification of the 2011 CSS identification of state threats

to the current evolution of states and state-based threats. From this, I infer a greater understanding

of non-state actors operating in cyberspace either at the behest or on the behalf of state actors as

presenting a higher (perceived) threat than in previous iterations of national security documents.

The definition of CCI offered in chapters two and five of this thesis acknowledges the risks from

and to non-state actors specifically because of the decreasing threshold of entry into cyber conflict

and the growing capability of these actors to affect behaviour and policy and the interstate level.

While there are non-state actors in cyberspace that do not act at the behest or on the behalf of

states, it is also true that these groups can be categorised as criminal enterprises and, as such, are

already identified by the UK national security documentation as a current threat. This is a sign of

development in the UK understanding of the cyber threatscape and a clear elevation of both

understanding and risk perception; the understanding among the British Administration of what

kinds of actors can constitute a threat to national resilience and security in cyberspace is evolving

to consider a greater array of threat vectors.

The best recognition thus far seen in the national security documentation of the UK that the

audience as a collective of individuals is important in any consideration of security and resilience

in cyberspace is the declaration in Section 3.19 of the 2016 CSS that “the public is also insufficiently

cyber aware.”504 This simple statement serves as a recognition that the threat to the audience of

500 Cabinet Office of the United Kingdom, “National Cyber Security Strategy 2016-2021,” 17–22. 501 Cabinet Office of the United Kingdom, “The UK Cyber Security Strategy: Protecting and Promoting the UK in a Digital World,” 15–16 para 2.4-2.8. 502 A script kiddie, for example, is an individual lacking the knowledge or skill to write their own malware; they use the malware written by others to engage in attack and exploitation. Australian Cyber Security Centre, “Script Kiddie,” Australian Signals Directorate | Australian Cyber Security Centre, 2021, https://www.cyber.gov.au/acsc/view-all-content/glossary/script-kiddie; Patrick Putnam, “Script Kiddie: Unskilled Amateur or Dangerous Hackers?,” United States Cybersecurity Magazine, September 14, 2018, https://www.uscybersecurity.net/script-kiddie/. 503 Cabinet Office of the United Kingdom, “National Cyber Security Strategy 2016-2021,” 17–20 para 3.2-3.14. 504 Cabinet Office of the United Kingdom, 22 para 3.19.


162

being insufficiently unaware of or prepared for the cyber threatscape has been perceived by the

Administration in their examination of the security and resilience requirements of the UK. This is

a clear elevation of the (perceived) risk to the public of cyber-enabled threats. It is also noteworthy

that the 2016 CSS considers roles and responsibilities for all sectors of society, categorising groups

as individuals/businesses, organisations, and government, which broadly align with the identified

actor aggregations for CCI used in this thesis.505

However, the 2016 CSS then calls on individuals, as citizens, to take all reasonable steps to

safeguard hardware, software and systems.506 The reductionist logic of this concept of individuals

needing to take steps to protect systems but not the information that resides within those systems,

nor their own perceptions and understanding of that information is concerning at best, and

negligent at worst.507 While there is the affirmation that the primary duty of government is to

protect citizens from attacks by other states,508 there is an inherent assumption of the (cyber-)

physical nature of any expected attack, leaving unaddressed any psychological operations that may

be targeting the (democratic) audience, and therefore the voting public. The point must be made

that without the understanding and aggregate contribution of the British audience to cyber

resilience through individual CCI, true cyber resilience will remain an aspiration. The human

element of cyber is inextricable from the technical-physical structures: until the human element is

aware of and guarded against psychological manipulation and information pollution, weaknesses

will remain inherent in any cyber security strategies. This, I suggest, will only occur when there is

a greater integration between the processes of elevation, and the capacities and tools of CCI, a

point I explore in detail in the following chapter.

There is some interesting ambiguity in section 4.16 announcing a broadened intelligence and law

enforcement focus on cyber, and that these institutions would “expand their efforts to identify,

anticipate, and disrupt hostile activities by foreign actors, cyber criminals and terrorists.”509 That

there is no specification as to what ‘activities’ will be identified and disrupted, nor that ‘foreign

actors’ are restricted to states, leaves room for interpretation, and a mandate for psychological

defence could be read into ambiguous statements such as these.

505 Cabinet Office of the United Kingdom, 26–27 para 4.6-4.11. See chapter five for a discussion on actor aggregates (broad categories) that can or should use CCI. 506 Cabinet Office of the United Kingdom, 26 para 4.7. 507 The implications of this are considered further in chapter six, where I examine disinformation as a threat to democratic integrity and analyse the importance of the human element in a holistic approach to CCI. 508 Cabinet Office of the United Kingdom, “National Cyber Security Strategy 2016-2021,” 26 para 4.9. 509 Cabinet Office of the United Kingdom, 28.


163

There is a consistent focus on cyber-crime as a persistent threat to cyber security and resilience,

but an explicit acknowledgement of the importance of the human fact to cyber security does not

appear until Section 5.3.6, when the 2016 CSS commits the Administration to the development of

cyber skills and expertise – the caveat to this development is that this commitment is specific to

government service,510 without addressing the public requirement for the same skills and expertise

any further than the ongoing commitment to education and innovation funding. While these are

excellent commitments and will no doubt serve the UK well in future, there is nothing that

addresses the current, real-time dearth of skills, expertise, and understanding of the audience that,

through voting decisions and behaviour, chooses and affects the functions of the governing

administration.

I note that there is a dedicated section on “countering hostile foreign actors” in cyberspace that

contains an acknowledgement that many countermeasures will not be undertaken or admitted in

the public space,511 and given the classified nature of many cyber operations and their importance

to national security and resilience, this is understandable. It is important, however, that the

audience of a democratic nation both know and understand that their government is aware of and

(capable of) responding to the threat of cyber-enabled interference that directly targets the

audience rather than just the systems that they use to generate exploitable data. Public trust in the

ability of the administration to both govern and protect is a fundamental pillar of democratic

integrity. In addition to recognising and elevating the threat to the audience of cyber-enabled

foreign interference, the administration must also be able to communicate a specific management

plan or proposal to strengthen public trust in government. Without that trust, the risk is that the

public will turn to alternate sources of information, thus becoming more vulnerable and

susceptible to disinformation and reducing overall democratic integrity, a point I return to in

chapter six.

I also note the acknowledged requirement for further education and training of cyber security

professionals.512 Further evolution of this stance is encouraged, however; while there is an

indubitable need for a larger cohort of cyber security professionals both now and in the future, it

is still, and will continue to be, necessary to encourage a more informed general public (a more

informed audience), which will decrease the opportunities of which adversaries can take advantage.

510 Cabinet Office of the United Kingdom, 38 para 5.3.6. 511 Cabinet Office of the United Kingdom, 49–50 para 6.3. 512 Cabinet Office of the United Kingdom, 51–55.


164

More specifically, and especially given the affirmation that the UK will itself “seek to influence the

decision-making of those engaging in…cyber espionage,” the elevation of the importance of the

human factor in any consideration of cyber intelligence/counterintelligence and security can only

be affirmed as critical.

Case Summary

In analysing the selected national security documentation of the UK, I attempted to ascertain

several different things. First, do the assumptions of threat elevation analysis hold true? Then, has

the threat perception of cyberspace evolved in the UK? And finally, has there been a development

in the understanding of, and need for, CCI?

Across the analysed period, namely 2008-2018, the UK engaged in several elevating acts that

indicated a heightening of their perceived threat of cyberspace. In addition to a number of agencies

being created to engage with different aspects of cyberspace, criminal use thereof, and military and

intelligence engagement with cyberspace infrastructure, the publication of three national cyber

strategies indicates the seriousness with which cyberspace has come to be viewed by successive

UK administrations. In addition, the national security documentation of the UK showed a distinct

elevation of increased threat perception of cyberspace.513

513 Given the scope of this thesis it is not possible to conduct a thorough investigation of threat attenuation here using

the UK perception of terrorism as a study. In brief, while the threat perception of cyberspace was elevated, the national

security documentation of the UK consistently identified (international) terrorism as the primary threat faced by the

UK. While earlier experiences and documentation may have contained the securitisation of terrorism (outside the

bounds of the 2008-2018 period time under examination), the collection of documents analysed here contained neither

an elevation nor an attenuation of the perceived terrorist threat. In fact, each document examined represented the

continued risk management of the threat of terrorism rather than any elevating or attenuating language or measure.

The threat perception of terrorism has not attenuated. While not indicative of security elevation practices more

broadly, it is an indication that once security concerns have been securitised to the level of threat it is more likely that

the process of threat attenuation will be significantly long-term and tends to hold at risk management, rather than

continuing down to normal politics. While mentions of terrorism and counterterrorism decreased considerably in the

two cyber security strategies so far produced by the UK (both within the analysed period), it does represent a

considerable percentage of the national security and intelligence effort, focus, and funding of the UK. Violent

extremism does not consistently receive the attention in the national security documentation as does terrorism, but it

is important for the identification of community efforts involved in countering violent extremism - these efforts could

be patterned in future public education and awareness efforts surrounding psychological defence in cyberspace. Given


165

In contrast to terrorism, which remained a Tier One threat, cyberspace underwent a considerable

elevation of perceived risk across the period analysed. From barely appearing at all in the 2008

National Security Strategy, by the end of the analysed period, cyberspace (or the vulnerability of

cyberspace as a threat vector) was considered one of the primary threats to the security of the UK,

and an obstacle in the pursuit of national security and resilience. As the understanding of

cyberspace developed and the terminology of threats, actions, and actors in cyberspace evolved,

so too did the conception within the UK Government of how cyberspace should be treated and

managed in terms of resilience and security by the defence and intelligence communities. There is

clear riskification here.

What developed, however, was a split view of cyberspace in terms of threats and vulnerabilities

that I call the assets vs. audience divide and develop further in chapter six. The focus of the UK

on the digital infrastructure of cyberspace, on the systems, processes, data, and physical

technologies that support and are produced by and in cyberspace (the assets), have left unresolved

the problems surrounding adversarial targeting of the general population of the UK (the audience).

While the integrity of cyberspace assets and infrastructure is crucial to the continued normal

function of everyday life, not only in the UK but globally, there has been a fundamental failure to

acknowledge that at every stage of analysis and deployment, the human factor in cyber security is

both integral to success, and in fact the reason for which security is pursued. Humans make

decisions (whether emotionally or rationally) based in large part on the information available to

them at any given time (snapshot intelligence), or based on what they have known and integrated

into their belief framework over time (fundamental intelligence). Much like short-term and long-

term memory, the beliefs either introduced or encouraged by snapshot intelligence feed into the

long-term belief and perception frameworks (fundamental intelligence) that affect ongoing

behaviour, such as civil interaction and voting patterns. The resulting national and cyber security

strategy documentation fixates almost entirely on technical security, leaving unaddressed the

human factor. Individuals produce the data collected on systems, and they create and utilise those

systems, producing further data, so on and so forth in a constant loop of production and

consumption. As I will argue in chapter five, we can close this gap by drawing from

these conclusions, the process of threat attenuation according to the threat elevation analysis framework will be the

subject of future research.


166

counterintelligence and properly elevating the threat to the audience by encouraging broad uptake

of CCI practices that contribute to the overall security of the state and its constituents.

In terms of how an overall approach to the understanding or practice of CCI may have evolved in

the UK in relation to the threat elevation of cyberspace, while the intelligence and security services

were referenced in the documentation analysed, there was general lack of specificity in regard to

CCI. While this can in part be explained by the classified and highly sensitive nature of these

capabilities and investments, it does mean that the analysis undertaken throughout the previous

sections has been significantly inferential. More so in the cyber security strategies, it is possible to

see that there is a connection and an increased understanding of counterintelligence requirements

in relation to disinformation. This is highly connected to state actor activities in relation to

disinformation, and to terrorist actors when considering propaganda. There is also the heightened

recognition that the intelligence and security services will be increasingly required to operate in and

mitigate hostile actions through, cyberspace, as foreign actors engage in attempts at interference.

Conclusion

This analysis has shown that there is still a significant focus on technological aspects of cyber

security, with limited elevation of the human factors in cyber security. While there has been a

successful riskification in terms of risks to assets, I suggest that there is a need hybridise the

technical side of cyberspace operations with the human aspect of psychological manipulation or

protection. CCI, as I will argue in chapter five, offers a way to connect these two elements that

makes it the perfect concept to recognise, monitor, and respond to the elevated national security

threats enabled by cyberspace, with appropriate risk management or threat mitigation measures.

Moreover, elevating the role of the audience as a vulnerability and a threat vector will enable the

allocation of resources to contribute to the protection and resilience of the audience against

disinformation and foreign interference campaigns. An increase in audience resilience to

disinformation will reduce the ability of hostile actors to degrade democratic integrity through the

sowing of confusion and consequent reduction in trust.

Beyond the technical considerations, though, is the audience: made up of the individuals that the

cyber security strategies indicate are at least partly responsible for information security, the

audience is still susceptible to deception through disinformation. The consequences of such

deceptions (as cyber-enabled information operations) affect both current and future behaviour,

such as voting. The integrity of the information to which they have access, the flow of ideas which


167

the UK identifies as crucial to the function of a modern democracy, has the potential for enormous

impact on the perceptions and behaviours of the audiences. There needs to be a serious effort to

elevate the risks to the audience of disinformation: an effort to elevate the risks to the audience of

cyber-enabled exploitation in general terms, beyond specifically technical problems.

Disinformation presents significant risks not only to the security of individuals, but to the overall

integrity of democracies and democratic institutions, such as election infrastructure. Because there

are severe potential consequences of the successful infiltration of disinformation into political

information ecologies, there needs to be an active response to such efforts. Because there is a

ubiquitous capacity for use of cyberspace, it is beyond the capacity of the individual state to secure

this domain. As such, performing counterintelligence measures in cyberspace is not the sole remit

of the state: individuals and organised groups also bear a responsibility to engage in CCI measures

and practices to contribute to the aggregate security of the state, and thereby the international

system at large. This separates CCI from more traditional modes of counterintelligence, bringing

the individual into a realm where previously only states or quasi-state actors were acknowledged

as legitimate actors. The next chapter examines the nature and field of CCI before offering a

typology of CCI, contextualising the examination of disinformation in chapter six.

168

5 – Counterintelligence and Cyberspace A fundamental outcome of the analysis in chapter four is that, while cyberspace has been elevated

in the United Kingdom (UK), it still treats cyber security as primarily a technological issue. Yet, a

fundamental aspect of mitigating, and ideally attenuating, threats in cyberspace involves humans.

In this chapter, given its embrace of human factors in intelligence and security, I will argue that

counterintelligence is a highly relevant and useful resource that those working in cyber security

should draw on: counterintelligence is a crucial part of the discipline and practice of intelligence,

and needs to play more of a role in cyber security. As long as spies and spying techniques have

been utilised to try and gain viable intelligence from hostile or oppositional parties, there have

been efforts to deny that intelligence collection and degrade that party’s ability to collect or use

further intelligence. For all intents and purposes, this is the function of counterintelligence: all

modern enhancements or changes to practice and understanding build on this foundation, rather

than renovate it. As outlined earlier in this thesis, where cyber security refers to the overall state

of, and methods of assuring, the overall security of cyberspace or an entity operating therein, cyber

counterintelligence concerns the specific practices intended to obviate attempts at intelligence

collection (espionage) or exploitation that then enable disruption or influence operation such as

disinformation campaigns. In modern times, considering the ubiquity of cyberspace to all areas of

life, the study, analysis, and practice of counterintelligence in cyberspace is both particularly

important and particularly complicated.

In chapter three, I examined whether cyberspace had undergone threat elevation, concluding that

cyberspace has been successfully riskified but has not yet been successfully securitised. In chapter

four, through examination of the national security documentation of the UK I demonstrated that

it is possible to identify and trace the elevation of the threat of cyberspace at the state level,

identifying successful riskification and accompanying risk management measures, though it should

be noted that the potential future elevation of cyberspace from risk to threat is not precluded by

this analysis. The UK by 2018 had successfully riskified the cyber threat to assets – critical

infrastructure, systems, and data. It failed to elevate the cyber threat to the audience, who are

vulnerable actors in cyberspace and can be a threat vector to the state in terms of both cyber

security and democratic integrity. One 2018 study found that individuals are just as likely to curate

and disseminate disinformation as is a state actor, making the audience both a risk to be managed


169

and a vulnerability to be secured.514 A comprehensive threat elevation of cyberspace needs to

recognise the role, and the importance, of the human factor in cyber security. Drawing on the

conclusions reached in chapter four, this chapter identifies cyber counterintelligence (CCI) as a

risk management and threat mitigation measure before applying this concept to the problem of

audience vulnerability to disinformation in chapter six.

The threat elevation of cyberspace should provoke a counterintelligence response at all levels, but

particularly at the state level, as it is responsible for the security of its citizens. The means with

which an actor addresses CCI concerns and the methods by which it manages or mitigates security

risks and threats in cyberspace accords with the general threat elevation analysis framework. A

mature actor in cyberspace is expected to have a more strategic outlook on CCI concerns and

would be expected to engage largely in active or proactive CCI, having constructed defences

designed to successfully repel or deter most malicious actors. This is the case with the UK. Less

mature actors might still be utilising tactical CCI means and methods and would likely be elevating

the threat of cyberspace as cyber-attacks and exploitation attempts are experienced. This is not to

say that tactical and strategic approaches to CCI are mutually exclusive – simply that there are

different levels and approaches by which actors undertake CCI. This chapter develops the concept

of CCI – how it is defined, how it has evolved, and to what purpose it is, and should be, used.

Accepting that cyberspace is an acknowledged risk to the security of the sovereign state, it becomes

the responsibility of all governments to undertake such actions and processes designed to manage

the risks associated with cyberspace as a conflict domain. If risk management fails, then a

multilateral approach to cyber threat mitigation is the next required step. Given that no state (or

corporation registered therein) is the sole owner or operator of the infrastructure underpinning

cyberspace, minimisation of threat potential is the duty of multiple actors. Risk management is

only possible if there is no immediate, overriding danger which would precipitate a further

elevating process and the identification of an existential threat to the state.515

So how has the riskification of cyberspace affected counterintelligence, and more specifically, cyber

counterintelligence? While CCI is a subset of counterintelligence, the requirements and limitations

of the cyber domain necessitate both new technologies and new analytical tools to properly

514 Yevgeniy Golovchenko, Mareike Hartmann, and Rebecca Adler-Nissen, “State, Media and Civil Society in the Information Warfare over Ukraine: Citizen Curators of Digital Disinformation,” International Affairs 94, no. 5 (2018): 975–94. 515 Threat elevation analysis is examined in depth in chapter three, as the framework underpinning this thesis.

Chapter 5 – Counterintelligence and Cyberspace

170

understand what cyberspace is and will be to state security. The ability to comprehend, navigate,

and exploit cyberspace is as essential to practitioners of counterintelligence as it is to intelligence

collectors; possibly more so, as to practice counterintelligence is to defend against those malicious

actors who are actively trying to obtain classified (or otherwise private) information for their own

(presumably exploitative) purposes. It is also worth noting that given the ubiquity of cyberspace

and the interconnected networks that form its global structure, counterintelligence is increasingly

required and utilised by parties beyond the state, to include individuals, groups, and corporations

of various sizes. Individuals and civil society groups, for example, engaged in significant

disinformation and counter-disinformation dissemination during the research into the cause of the

downing of MH17 over Ukraine in 2014.516 The Russian Federation initially denied involvement,

attempting to manipulate the narrative by implying Ukrainian actors had downed the plane.517

Bellingcat, an open-source investigative group, engaged in the identification and tracking of data

and information in a stunning display of active and proactive CCI in direct competition with actors

intending to cover Russian involvement by attempting to conceal information and avoid

attribution.518 However, to analyse the ways in which each of these types of actor employs CCI is

beyond the scope of this thesis and will therefore be only briefly examined to contextualise the

importance of CCI to the security of the state.

Despite the many kinds of cyber-enabled technologies, intelligence collection and analysis still

fundamentally revolve around humans. Signals intelligence (SIGINT) may be collected by one

agency and protected by another, but the intelligence is collected in order to ascertain the probable

or actual actions and decisions of people – foreign leaders, policymakers, and agents of foreign

intelligence services. The hacks of the Democratic National Committee (DNC) servers and the

exploitation of John Podesta’s email account, for example, provided a significant quantity of

information of what people had done and were planning on or considering doing.519 The human

516 Golovchenko, Hartmann, and Adler-Nissen, “State, Media and Civil Society in the Information Warfare over Ukraine: Citizen Curators of Digital Disinformation”; Sebastiaan Rietjens, “Unraveling Disinformation: The Case of Malaysia Airlines Flight MH17,” The International Journal of Intelligence, Security, and Public Affairs 21, no. 3 (September 2, 2019): 195–218, https://doi.org/10.1080/23800992.2019.1695666; Matt Sienkiewicz, “Open BUK: Digital Labor, Media Investigation and the Downing of MH17,” Critical Studies in Media Communication 32, no. 3 (May 27, 2015): 208–23, https://doi.org/10.1080/15295036.2015.1050427. 517 Golovchenko, Hartmann, and Adler-Nissen, “State, Media and Civil Society in the Information Warfare over Ukraine: Citizen Curators of Digital Disinformation,” 978; Philip Pangalos, “Russia Denies Claims of Involvement in Malaysia Airlines MH17 Crash,” euronews, June 19, 2019, https://www.euronews.com/2019/06/19/russia-denies-claims-of-involvement-in-malaysia-airlines-mh17-crash. 518 Bellingcat, “MH17,” Bellingcat, 2021, https://www.bellingcat.com/tag/mh17/. 519 Katiana Krawchenko et al., “The John Podesta Emails Released by WikiLeaks,” CBS News, November 3, 2016, https://www.cbsnews.com/news/the-john-podesta-emails-released-by-wikileaks/; Raphael Satter, Jeff Donn, and Chad Day, “Inside Story: How Russians Hacked the Democrats’ Emails,” AP NEWS, November 4, 2017,


171

factor is an irrevocable element of intelligence, and the increasing technologisation of modern

society has not changed that. So, it is important to bear in mind that all discussions of CCI must

also pay due attention to human intent, motivation, and perception. One of the chief conclusions

from chapter four was that though the UK had effectively elevated cyberspace, they had done so

in a way that significantly overlooked the human factors in cyber security. In what follows, I

develop CCI as a way to build a more fundamental resilience into cyberspace.

This utility of this approach becomes obvious in chapter six, where I cover the effects of

disinformation campaigns through the lens of failed CCI practice and understanding at the

systemic level. Fundamentally, I argue that CCI can be broadly understood to apply to two

categories: assets and audiences. Of these, governments globally have successfully elevated the

concerns surrounding assets, focussing particularly on critical infrastructure and data.520 Policies

have been instated and practices undertaken to protect data, and ensure the defence and

(hopefully) future resilience of national critical infrastructure.521

Until recently, however, there has been insufficient consideration given to the importance or

protection of the second category: audiences. This point was borne out in the analysis of the UK’s

elevation of cyberspace. Given the ubiquity of cyber-enabled technologies, CCI requires

participation from the citizenry – a considerable departure from more traditional, covert forms of

counterintelligence. The greater the percentage of a population that actively engages in cyber

security measures (to include counterintelligence practices, either consciously or unconsciously),

the greater the levels of cyber security and digital integrity of the state in question. While the state

is the primary unit of analysis in this thesis, CCI shows us the importance of the human factor.

https://apnews.com/article/hillary-clinton-phishing-moscow-russia-only-on-ap-dea73efc01594839957c3c9a6c962b8a; Zurcher, “Hillary Clinton Emails - What’s It All About?,” BBC News, November 6, 2016, sec. US & Canada, https://www.bbc.com/news/world-us-canada-31806907. 520 See chapter three for extended discussion on threat elevation. 521 Centre for the Protection of National Infrastructure, “Centre for the Protection of National Infrastructure | CPNI,” Centre for the Protection of National Infrastructure | CPNI, 2021, https://www.cpni.gov.uk/; Steven Chabinsky and F. Paul Pittman, “Data Protection 2020 | Laws and Regulations | USA,” International Comparative Legal Guides, 2020, https://iclg.com/practice-areas/data-protection-laws-and-regulations/usa; Bernard Haemmerli and Andrea Renda, “Protecting Critical Infrastructure in the EU,” Centre for European Policy Studies (blog), December 16, 2010, https://www.ceps.eu/ceps-publications/protecting-critical-infrastructure-eu/; Information Commissioner’s Office, “Guide to the UK General Data Protection Regulation (UK GDPR),” Information Commissioner’s Office (ICO, 2021), https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/; Intersoft Consulting, “General Data Protection Regulation (GDPR) – Official Legal Text,” General Data Protection Regulation (GDPR), September 2, 2019, https://gdpr-info.eu/; UK Public General Acts, “Data Protection Act 2018,” Legislation.gov.uk (Queen’s Printer of Acts of Parliament, 2018), https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted; United States Government, “National Infrastructure Protection Plan | CISA,” Cybersecurity and Infrastructure Security Agency, 2021, https://www.cisa.gov/national-infrastructure-protection-plan.


172

Moreover, it explains how the individual is paramount to the security of the state. A state is but an

aggregate of individuals, and as the saying goes, a group is only as strong as its weakest member.

Put into context, any given aggregate (like the state) can only acquire and maintain a significant

level of security in cyberspace if the constituent members of the aggregate model the correct

behaviours and engage in the appropriate practices across the board. Unless most individuals

understand the importance of and engage in “cyber hygiene” and CCI practices, the greater the

likelihood that a virus will be able to move past existing defences.522 This is why the failure to

allocate the appropriate weight and importance to both systemic (state) and human

(individual/group) levels of CCI practice and understanding is a serious and ongoing national

security concern. Until audiences are considered, supported, and invested in at the same level as

assets, this problem is likely to continue unmitigated.

Greater investment in, and education of, democratic audiences in relation to CCI practices will not

just contribute to the security of cyber infrastructure, but to the security and resilience of

democratic infrastructure as well. Disinformation is a growing threat to security among Western

democracies – it is important to consider the effects that false information will have not only on

levels of comprehension but on the trust that democratic audiences have in their elected leaders

and the institutions that support them. Trust in both mainstream media and in democratic

institutions like elected governments has been trending downward, and this is in part due to a

stated distrust of information provided by those entities.523 The security and resilience of

infrastructure is intertwined with the strength of the social contract between democratic

governments and audiences, and disinformation that is effectively transmitted has the potential to

disrupt and degrade that social contract. Disinformation as a security threat will be discussed

further in chapter six in the context of the assets vs. audiences dilemma and the ways in which

false information can affect democratic integrity. Understanding and using CCI at strategic and

tactical levels, and the practice of CCI by states, organised groups, and individuals, will aid in

522 As pointed out in chapter four, where the UK initially used the cyber health analogy in relation to cyber security practices, this does not continue past the 2009 national security strategy. Australia does use cyber hygiene in certain contexts. See Australian Cyber Security Centre, “The Commonwealth Cyber Security Posture in 2019,” Australian Signals Directorate | Australian Cyber Security Centre, 2019, https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/commonwealth-cyber-security-posture-2019. 523 Golovchenko, Hartmann, and Adler-Nissen, “State, Media and Civil Society in the Information Warfare over Ukraine: Citizen Curators of Digital Disinformation,” 981; OECD, “Trust in Government - OECD,” OECD, 2021, https://www.oecd.org/gov/trust-in-government.htm; Pew Research Center, “Public Trust in Government: 1958-2021,” Pew Research Center - U.S. Politics & Policy (blog), May 17, 2021, https://www.pewresearch.org/politics/2021/05/17/public-trust-in-government-1958-2021/; Jesper Strömbäck et al., “News Media Trust and Its Impact on Media Use: Toward a Framework for Future Research,” Annals of the International Communication Association 44, no. 2 (April 2, 2020): 139–56, https://doi.org/10.1080/23808985.2020.1755338.


173

mitigating the threat of disinformation and strengthening the social contract between government

and audience such that democracy becomes more resilient to false information.

This chapter consists of two main sections. Section one will examine the specific field of CCI, and

how the understanding and use of counterintelligence has evolved as the perceived risks associated

with the broad use of cyberspace have increased. Section two will then examine three broad groups

that undertake CCI to contextualise the relationship between state security, cyberspace, and the

actors that engage in CCI: states; organised groups, and individuals. CCI is a multilateral effort,

and greater efficacy of CCI by individuals and groups will contribute to the security of the state;

greater state resilience can shield individuals and groups; groups can shield citizens and contribute

to the state’s security. The most efficient approach to CCI will be one in which all three actor

groups engage in CCI measures and practices, which will require a comprehensive threat elevation

of cyberspace and recognition of audience threat and vulnerability.

Cyber Counterintelligence

CCI is a branch of counterintelligence. It requires a high level of technical skill and investment by

parties that seek to implement CCI practices – primarily, states. As a subset of the general

counterintelligence field, CCI has developed along a similar line to both counterintelligence and

cyberspace itself. Like its parent field, CCI is largely reactionary, and utterly crucial to the

(perceived and actual) security of states in cyberspace, and the cyberspace infrastructure itself. CCI

is also difficult to define, as the traditional, analogous security concerns that require

counterintelligence have proliferated as the world becomes increasingly digitised. In addition to

the increasingly low threshold for instigation of or participation in conflict in cyberspace for those

that are digitally literate, it is also possible for cyber-attacks to emanate from the devices of

individuals who are unaware they have been compromised. Similarly, this can also occur from

people who wish to play a contributive role in cyber conflict but are not as capable in cyberspace

as hackers; it is possible to download and run computer viruses and other malicious programs with

little or no intimate knowledge of computer programming or coding. Organised criminal groups

are highly capable actors in cyberspace that have the potential to cause significant damage at

national and international levels. Consider the 2021 DarkSide ransomware operation against


174

Colonial Pipeline on the East Coast of the US, which caused a days-long shutdown to oil access

which was only relieved when Colonial paid the requested ransom.524

Comparative to its importance to state and global security, there is a startling lack of academic

analysis and examination of CCI as an academic field, or as a practical endeavour. Having seen in

chapter four that countries like the UK have riskified cyberspace, then a greater understanding of

the interaction between cyberspace and security, cyberspace and intelligence, and the field of CCI

specifically is crucial to future security. This first section of this chapter will consider the history

and development of the CCI field, before considering the purpose and practice of CCI having

taken these elements into account. The final section of this chapter will contain a brief overview

and examination of the three main categories of actor utilising CCI practices, and how the security

of the state relates to these parties’ use of CCI.

CCI as a Discipline

CCI is a branch of the general field of traditional counterintelligence, which is itself within the

remit of the overall field of intelligence. As with traditional modes of intelligence and

counterintelligence, CCI is not necessarily disallowed according to international law, though as

with every other field of international interest, the intention exists to further control and regulate

cyberspace.525 Much like other fields of intelligence and security that have been translated to the

cyber domain, counterintelligence in cyberspace at this point in time is undertaken in an ad hoc

nature and with little oversight or regulation comparative to other means of international

interactions. Cyberspace is a domain to which the costs of entry into conflict are significantly lower

than would be expected of alternative, traditional modes of conflict. In an offensively-advantaged

domain, the costs of cyber defence are (often significantly) higher than those associated with

building a flexible and effective offense; this makes the likelihood of conflict both more probable

and more difficult to deal with.526 In a battle space where it is simple and relatively easy for conflict

524 Associated Press, “Colonial Pipeline Confirms It Paid $4.4m Ransom to Hacker Gang after Attack,” the Guardian, May 20, 2021, http://www.theguardian.com/technology/2021/may/19/colonial-pipeline-cyber-attack-ransom; Andy Greenberg, “The Colonial Pipeline Hack Is a New Extreme for Ransomware,” Wired, accessed July 3, 2021, https://www.wired.com/story/colonial-pipeline-ransomware-attack/; Lily Hay Newman, “DarkSide Ransomware Hit Colonial Pipeline—and Created an Unholy Mess,” Wired, accessed July 3, 2021, https://www.wired.com/story/darkside-ransomware-colonial-pipeline-response/. 525 Schmitt, Tallinn Manual on the International Law Applicable to Cyber Warfare; Schmitt and Vihul, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations; United Nations Office for Disarmament Affairs, “Group of Governmental Experts - Cyberspace.” 526 Keir Lieber, “The Offense-Defense Balance and Cyber Warfare,” in Cyber Analogies, ed. Emily O. Goldman and John Arquilla (United States Cyber Command, 2014), 96–107; Andrea Locatelli, “The Offense/Defense Balance in Cyberspace” (Working Paper, Milan, 2013), https://publires.unicatt.it/en/publications/the-offensedefense-balance-in-cyberspace-10.


175

to take place, with multiple potential actors taking part, and that same space and conflict potential

are no longer limited to the sovereign state, conflict becomes incredibly difficult to prevent or

mitigate.

In such a battle space (and cyberspace has been termed such for several years, in particular by the

United States’ Department of Defense),527 the importance of intelligence and counterintelligence

cannot be overstated. It is crucial to know and understand both the (quantitative) capacity and

capability of (potential) hostile parties, and also the motive/s that those parties may have for

undertaking cyber operations in the first instance. This is where the intelligence discipline comes

in; many (if not most) of the tenets and practices of traditional intelligence operations can be

translated almost directly from the physical world to cyberspace. The point of intelligence is to

know one’s enemy, and given the combination of high amounts of information that can be

accessed, the frequency of communications, and the many security vulnerabilities to attacks, this

can be done as well, or better, through cyberspace or via cyber-assisted means as it can through

traditional tradecraft. Counterintelligence performs the explicit purpose of preventing and/or

disinforming the intelligence operations of hostile parties, as well as tracking down any possible

‘turncoat’ individuals in domestic positions.528 While this, too, translates almost seamlessly into the

cyber domain, it must be pointed out that operations in cyberspace are not relegated or restricted

by geographic or political borders, and in fact are more likely than not to cross multiple

jurisdictions and involve individuals of multiple nationalities.

While it is true that the physical infrastructure supporting cyberspace is located in specific

jurisdictions, it cannot be denied that short of actually ‘turning off’ certain sections of that

supportive infrastructure, there is little that can be done about settling jurisdictional disputes if the

states party are uncooperative.529 Consider the following example: state A is in pursuit of an

individual or group that created a virus in state B, spoofed the ISP (Internet Service Provider)

address or used a VPN (virtual private network) that geolocated the device of origin in the

527 William J. Lynn III, “Cybersecurity - Defending a New Domain,” U.S. Department of Defense, 2010, https://archive.defense.gov/home/features/2010/0410_cybersec/lynn-article1.aspx; Lesley Seebeck, “Why the Fifth Domain Is Different,” The Strategist, September 4, 2019, https://www.aspistrategist.org.au/why-the-fifth-domain-is-different/; United States Department of Defense, “Department of Defense Strategy for Operating in Cyberspace” (United States Department of Defense, 2011), https://csrc.nist.gov/CSRC/media/Projects/ISPAB/documents/DOD-Strategy-for-Operating-in-Cyberspace.pdf. 528 Lowenthal, Intelligence: From Secrets to Policy, 201. 529 American Society of International Law, “Beyond National Jurisdiction: Cyberspace,” American Society of International Law, 2017, /topics/signaturetopics/BNJ/cyberspace; Wolff Heintschel von Heinegg, “Legal Implications of Territorial Sovereignty in Cyberspace,” in 4th International Conference on Cyber Conflict, ed. C. Czossek, K. Ziolkowski, and R. Ottis (NATO CCDCOE Publications, 2012).


176

jurisdiction of state C, diffused that virus through multiple other jurisdictions and eventually

reached the targeted systems in state A. Which state is ultimately responsible for the effects of the

attack? With which states would state A need to cooperate in order to arrest the attackers? Short

of regional or international agencies with overarching jurisdiction (like Interpol in Europe)530 the

bureaucratic requirements would make such operations costly both in terms of financing and

effort. It may be impossible to prevent all attacks like this, but it should be possible to deter all but

the most determined of adversaries by increasing the cost of conducting the attack. Appropriate

and efficient use of CCI by the individuals and government in State A may have reduced the

severity of the consequences of the virus; similar practices in State C may have reduced the

potential to be use as a vector by hostile parties. Alternately, more efficient use of CCI practices

by the hostile actor may have prevented State A from being able to trace the trajectory of the virus

in the first place.

Counterintelligence, in a word, is the effort to make such attacks more costly and more unlikely to

occur; if counterintelligence officers and operators can make the opportunity cost of entering cyber

conflict higher than the benefit of maintaining a neutral cyber presence, then the balance of

likelihood of cyber conflict tips further toward the negative. By actively countering attempts to

collect intelligence on both domestic and allied cyber systems, individuals, organisations and

governments, CCI operators are reducing the overall offensive advantage of hostile parties in

cyberspace, by negating or decreasing the benefit to be gained if conflict (exploitative) operations

are undertaken. Effectively, good CCI is a form of deterrence by denial.

The key here is to realise that in addition to the immediate consequences of data corruption and

exfiltration, it is also the responsibility of the CCI discipline to subvert the efforts and operations

of hostile parties to affect negative change in a particular polity, be it individual, organisational,

national, regional, or international. In these terms, the attempts on the part of Russian hackers to

influence the outcome of the US’ 2016 and 2018 elections can be termed a failure of US CCI:

malicious actors were able to infiltrate sensitive systems, manipulate individuals for further access,

530 INTERPOL, “INTERPOL Member Countries,” INTERPOL, 2020, https://www.interpol.int/en/Who-we-are/Member-countries. I do note that the European Convention on Cybercrime (Treaty No. 185 with the Council of Europe, also known as the Budapest Convention) came into force in 2004 and has been signed by 46 States, ratified by 44. It is worthwhile to note that the Convention is limited in the crimes against which it is applicable, and being ratified by less than one third of sovereign States, needs to be developed further. Council of Europe, “Chart of Signatures and Ratifications of Treaty 185,” Treaty Office, November 4, 2021, https://www.coe.int/en/web/conventions/full-list.


177

exfiltrate data, and introduce disinformation into the political conversation,531 reducing the overall

trust in the electoral processes in the US. Moreover, the debates over foreign influence on the

results of the election are still continuing.532

In an increasingly digitised era, counterintelligence in cyberspace is rising in both importance and

necessity: in many respects, it is also failing to keep up with demand. This may be due to education;

in general when CCI can be said to have failed, it can in large part be attributed to human error

that the systems did not work as designed.533 Consideration of the human factor is crucial to the

understanding and successful practice of CCI. The future resilience of cyberspace systems and

cyber-enabled technologies will depend upon the acknowledgement that humans design, build,

program, and use these systems and technologies. Cyber resilience and security starts with, and

rests on, the audience understanding and practicing CCI. As humanity moves further into the

realms of machine learning and artificial intelligence, our ability to differentiate true from false

information and engage in risk management processes will only increase in importance.

It has already been proven that early-stage artificial intelligences are exhibiting learned race and

gender biases, inherited from their human designers.534 When individuals do not admit to or

recognise inherent psychological models and biases, these cannot be mitigated against in thought

and decision-making, affecting how those individuals will act and react in certain situation. Without

training to recognise biases, or false information, and the techniques to mitigate against that false

information and the belief echoes it can cause,535 the (counterintelligence) system will not work as

531 CNN Editorial Research, “2016 Presidential Campaign Hacking Fast Facts,” CNN, October 28, 2020, https://www.cnn.com/2016/12/26/us/2016-presidential-campaign-hacking-fast-facts/index.html; Gerstein, “U.S. Brings First Charge for Meddling in 2018 Midterm Elections”; Donie O’Sullivan, “Facebook: Russian Trolls Are Back. And They’re Here to Meddle with 2020,” CNN, October 22, 2019, https://www.cnn.com/2019/10/21/tech/russia-instagram-accounts-2020-election/index.html; Alina Polyakova, “The Kremlin’s Plot Against Democracy,” Foreign Affairs, 2020, https://www.foreignaffairs.com/articles/russian-federation/2020-08-11/putin-kremlins-plot-against-democracy. 532Henschke, Sussex, and O’Connor, “Countering Foreign Interference: Election Integrity Lessons for Liberal Democracies.” See also chapter six for a detailed analysis of this problem and its relation to CCI. 533 Rishi Bhargava, “Human Error, We Meet Again,” Security Magazine, December 6, 2018, https://www.securitymagazine.com/articles/89664-human-error-we-meet-again?v=preview; Ross Kelly, “Almost 90% of Cyber Attacks Are Caused by Human Error or Behavior,” ChiefExecutive.Net (blog), March 3, 2017, https://chiefexecutive.net/almost-90-cyber-attacks-caused-human-error-behavior/; Daniel Miller, “The Weakest Link: The Role of Human Error in Cybersecurity,” Secure World Expo, January 14, 2018, https://www.secureworldexpo.com/industry-news/weakest-link-human-error-in-cybersecurity; Bob Violino, “Want to Help Stop Cyber Security Breaches? Focus on Human Error,” ZDNet, January 23, 219AD, https://www.zdnet.com/article/want-to-help-stop-cyber-security-breaches-focus-on-human-error/. 534 Daniel Cossins, “Discriminating Algorithms: 5 Times AI Showed Prejudice,” New Scientist, April 27, 2018, https://www.newscientist.com/article/2166207-discriminating-algorithms-5-times-ai-showed-prejudice/; Hannah Devlin, “AI Programs Exhibit Racial and Gender Biases, Research Reveals,” The Guardian, April 14, 2017, https://www.theguardian.com/technology/2017/apr/13/ai-programs-exhibit-racist-and-sexist-biases-research-reveals. 535 See chapter six for a discussion of belief echoes.


178

intended. This is not to say that technology does not occasionally spontaneously malfunction:

anyone who has attempted to use a computer program of any kind will be well aware of the capacity

of technology to simply ‘not work’ as it is supposed to. The essential point here is that CCI

necessarily involves human factors in cyber security. In fact, this embrace of the human factors in

CCI is one of the significant contributions that engagement with counterintelligence can provide

to discussions of cyber security. This is, in part, what this thesis is designed to mitigate: to extend

enquiry into a field where little academic research has occurred, in order to better understand an

area of crucial importance to both individual and national security.

Development

The history of CCI is thus far a comparatively short one; cyberspace has existed for only a few

decades,536 and its past is thus fairly easy to examine. However, this chapter is not concerned with

the history and development of cyberspace itself; this was briefly considered in the chapter three

discussion on the riskification and potential securitisation of cyberspace, and so will not be

explored again here. CCI specifically can only really be traced as a disparate subset of the

counterintelligence field for approximately the last twenty to thirty years, and even so has rarely

been referred to in such specific terms as “CCI.” In the academic field, CCI has only truly begun

to be explored within the last decade.537 Comparative to the counterintelligence field as a whole

and to intelligence in general, and the burgeoning development of the interdisciplinary study of

cyber security, there is a relative dearth of literature available discussing CCI as a practice, as a field,

or in academic terms for examination and analysis. Much of the recent development in the field

of CCI is due to the (reactionary) creation of the computer emergency response teams (CERTs)

that form part of the governmental and institutional/corporate response to potential cyber-borne

threats that have been formed in many states, including the UK.538

CCI practices are something that have become more and more crucial as the number of people

that have access to cyberspace and cyber-enabled technologies grows. Like in the Western

536 Cerf, “A Brief History of the Internet & Related Networks”; Defense Advanced Research Projects Agency, “Paving the Way to the Modern Internet.” 537 See, among others, Duvenage and Solms, “The Case for Cyber Counterintelligence”; Duvenage and von Solms, “Putting Counterintelligence in Cyber Counterintelligence: Back to the Future”; Sigholm and Bang, “Towards Offensive Cyber Counterintelligence.” 538 Also known as computer security incident response teams (CSIRTs). European Union Agency for Cybersecurity, “CSIRT Inventory”; Forum of Incident Response and Security Teams, “FIRST Teams,” FIRST — Forum of Incident Response and Security Teams, 2021, https://www.first.org/members/teams; International Cyber Center, “C.E.R.T in Rest of the World”; United Nations Institute for Disarmament Research, “UNIDIR Cyber Policy Portal,” UNIDIR Cyber Policy Portal, 2021, https://unidir.org/cpp/en/.


179

Australia password example,539 many individuals do not take security protocols seriously enough;

while that may or may not end up causing significant grief for a random private citizen, violation

of both common sense and security practices (like having easily-guessed passwords) when you are

a civil servant or member of a defence force can result in greater consequences for the security of

the state.540 This, perhaps, is one of the reasons that Hillary Clinton’s 2016 Presidential campaign

suffered so much damage from the revelation that she had been using a private email server for

the duration of her time in office as Secretary of State.541 In combination with the Russian hack of

the Democratic National Committee (DNC) and the exfiltration and subsequent publication of

sensitive documents, which was accomplished through the targeted phishing of former and current

DNC staffers, we can clearly see the human factor of CCI where problems and vulnerabilities

arise.542 One of the most important elements of future CCI development will be in education.

Education of the general populace in basic cyber security (to include basic cyber

counterintelligence) practices; further education of military forces and civil servants; and

investment in greater CCI innovation will be among the most crucial elements of any future CCI

policy. The vulnerability in cyber security and CCI identified and highlighted by the research

undertaken for this thesis is the human factor, which must be managed in order for there to be a

resilient cyberspace going forward.

How should we define cyber counterintelligence in terms of acts and actions? In addition to the

definition introduced in my 2017 chapter Cyber Counterintelligence: Concept, actors and implications for

security and articulated in chapter two, I also introduced a limited typology of intelligence collection

in cyberspace: passive, active, and proactive. The second half of this chapter will build on the

typology introduced in prior research, elaborating on the differences between active, passive, and

proactive cyber counterintelligence practices to best understand the discipline and the research

field.543

539 See chapter two, section “Defining cyber counterintelligence.” 540 In 2019, a NATO research group tested the vulnerability of professional soldiers to intelligence collection efforts and social engineering. Using social media and other information available online, the researchers identified approximately 150 soldiers that were ‘recruited’ to various Facebook pages; their battalions and movements were identified, and those personnel were compelled into a series of undesirable actions. Issie Lapowsky, “NATO Group Catfished Soldiers to Prove a Point About Privacy,” Wired, February 18, 2019, https://www.wired.com/story/nato-stratcom-catfished-soldiers-social-media/. 541 Zurcher, “Hillary Clinton Emails - What’s It All About?” 542 Barrett, “DNC Lawsuit Against Russia Reveals New Details About 2016 Hack”; Crowdstrike, “Our Work with the DNC: Setting the Record Straight,” Crowdstrike (blog), June 5, 2020, https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/; Satter, Donn, and Day, “Inside Story.” 543 O’Connor, “Cyber Counterintelligence,” 117–18.


180

Purpose

CCI is generally intended to subvert the actions of hostile parties that seek to negatively impact

the state (or the entity in question, if not a state) through collection of intelligence or exploitation

of cyber security vulnerabilities, as well as to effectively function as the ‘police’ for one’s own

personnel and assets, to avoid defection or provision of intelligence to a hostile or otherwise

unauthorised party.544 As this relates to counterintelligence, the purpose is much the same.

Translated into cyberspace, however, there are a number of variables which make

operationalisation and function of counterintelligence more difficult, or at least challenging in

different ways. In the physical domain, there are actions that can be performed which will provide

a great degree of certainty in security measures, relative to the perceived security when these actions

are not performed, such as bug sweeps, perimeter checking and surveillance, identification

verification, the use of white-noise generators to stifle sound that could be picked up by mid- to

long-range microphones, and so on.545

There is a certain level of the ‘known known’ and the ’known unknown’ that can be assertively

mitigated and combatted to increase both perceived and actual levels of security.546 In cyberspace,

however, there is a far lesser degree of confirmable knowledge; that is to say, the technology is still

new enough and uncertain enough that we cannot conclusively say that bug sweeps are efficient,

that the perimeter is capable of being checked and surveilled (what is a perimeter in cyberspace?),

that identification can be verified without doubt. This is in-part what makes attribution so difficult

in cyberspace and speaks to what Nina Kollars calls the “spaghetti nature – interconnected,

overlapping, and messy” of cyber and intelligence – “the tools of intelligence competition are

available to everyone [in cyberspace]. The battle space for intelligence competition grows by the

minute. The holder of the tools and the space itself is everyone.”547

544 Noting that the original typology classifications were passive, active, and aggressive, it is important to note that this typology has evolved over the conduct of research for this thesis and the version contained herein is updated from the original. O’Connor, 110. 545 Hank Prunckun, Counterintelligence Theory and Practice, 2nd ed. (Lanham: Rowman & LIttlefield Publishers, 2019), 128–29; 160–65, https://rowman.com/ISBN/9781786606884/Counterintelligence-Theory-and-Practice-Second-Edition. 546 According to former Secretary of Defense Donald Rumsfeld, "There are known knowns. There are things we know we know. We also know there are known unknowns. That is to say, we know there are some things we do not know. But there are also unknown unknowns, the ones we don't know we don't know." Donald Rumsfeld, “Defense.Gov Transcript: DoD News Briefing - Secretary Rumsfeld and Gen. Myers,” U.S. Department of Defense, February 12, 2002, https://web.archive.org/web/20190428122842/https://archive.defense.gov/Transcripts/Transcript.aspx?TranscriptID=2636. 547 Kollars, “Cyber Conflict as an Intelligence Competition in an Era of Open Innovation.”


181

Traditionally, counterintelligence practitioners are responsible for finding and subverting the

actions of parties foreign or domestic that seek to undermine the actions of security agencies as

relate to securing the state against threats.548 This has translated fairly directly into cyberspace: it

remains a primary obligation for counterintelligence agencies and operatives, though again, the

sophistication of modern technologies and the sheer incomprehensible size of the Internet in the

first instance, as well as the complexity of the cyber domain and cyber-physical infrastructure in

the second, have made this an exceedingly difficult duty to fulfil. In addition, given the opportunity

provided by the relatively low cost of entry into and use of cyberspace, the number of parties that

may be exfiltrating data on behalf of foreign or domestic parties is exponentially larger than it

would be traditionally.549 The definition of cyber counterintelligence accepted in this thesis assigns

several responsibilities to the CCI discipline: preventing, identifying, tracing, penetrating,

infiltrating, degrading, exploiting and/or counteracting the attempts of any entity to utilise

cyberspace as the primary means and/or location of intelligence collection, transfer or exploitation;

or to affect immediate, eventual, temporary or long-term negative change otherwise unlikely to

occur. Evidently, intelligence gathering on behalf of foreign/hostile entities is not the only concern

of CCI operatives: in addition to data exfiltration, those same parties are perfectly capable of data

infiltration and corruption, of depositing viruses and logic bombs for later deployment, and of

leaving themselves ‘back doors’ hidden from CCI practitioners in order to re-enter the space in

question at a later date. Perhaps functionally equivalent to the Cold War-era listening devices and

short-range transmitters, in cyberspace these are exceedingly difficult to locate or attribute, and as

we have seen, some malware are able to exist and function within a system or multiple systems for

months and years without being detected.550 This is the constant danger of cyber-based intelligence

operations, and one that must be constantly guarded against: a battle that must be waged

persistently but in which is difficult, if not impossible, to be victorious. Moreover, as we see in

chapter six, CCI now has to consider widespread disinformation campaigns launched and

coordinated by adversarial state actors.

548 Lowenthal, Intelligence: From Secrets to Policy, 201. 549 Jason Healey and Robert Jervis, “The Escalation Inversion and Other Oddities of Situational Cyber Stability,” Texas National Security Review, September 28, 2020, http://tnsr.org/2020/09/the-escalation-inversion-and-other-oddities-of-situational-cyber-stability/; Kollars, “Cyber Conflict as an Intelligence Competition in an Era of Open Innovation.” 550 Moonlight Maze, for example, targeted US military and government systems. Active from 1996-2003, sections of the original code have been found in several updated exploits in the last decade. See Guerrero-Saade et al., “Penquin’s Moonlit Maze: The Dawn of Nation-State Digital Espionage”; Osborne, “Ancient Moonlight Maze Backdoor Remerges as Modern APT”; Pankov, “Moonlight Maze.”


182

In terms of securing and maintaining one’s own systems, counterintelligence practitioners are

responsible for both repelling and routing attempts of second parties to gather intelligence on the

state’s capabilities, personnel, technologies, economy, and so on. This focus on cyberspace as locus

for intelligence collection and exploitation operations separates CCI from cyber security, broadly

defined as the protection of the integrity and availability of systems and networks. For an

illustration of the relationship between CCI and cyber security, see Figure 1 The Elements of Cyber

Security. James Angleton’s description of counterintelligence as a wilderness of mirrors seems an

apt description for the current state of counterintelligence in cyberspace, wherein attribution is

improbably difficult.551 As in traditional counterintelligence, denial and deception are part and

parcel of the CCI discipline. The problem, however, is the peculiarly well-suited nature of

cyberspace to both denial and deception: it is relatively simple to ‘spoof’ your location and provide

fraudulent identification credentials, complicating tracing and identification.552 The growth of

government bureaucracies and exponential increase of both official personnel as well as

contractors and consultants has also increased the size and value of the target environment for

intelligence collectors, making subversion operations more difficult to operationalise. The laissez-

faire attitude and lack of education or knowledge in the field of a large percentage of individuals

toward device and network security is also a significant setback to CCI operatives and agencies.553

Finally, the increased reliance of people and institutions on information accessed through the

Internet requires counterintelligence practices to be increasingly engaged with identifying and

combating disinformation, misinformation, and conspiracy theories.

As we have seen, CCI efforts are inextricably intertwined with cyber intelligence and also cyber

security. The multi-use nature of many cyber-assisted and -enabled technologies, and the

innovative purposes to which they can be turned, has resulted in opportunities and vulnerabilities

that serve in multiple security fields. As such, the same operations that might be designed to repel

or subvert the attempts of hostile parties to collect intelligence (or CCI) may also be used to test

551 For discussions on attribution in cyberspace, see Allan, “Attribution Issues in Cyberspace”; Robert K Knake, “Untangling Attribution: Moving to Accountability in Cyberspace,” § Subcommittee on Technology and Innovation of the United States House of Representatives (2010); Erik M. Mudrinich, “Cyber 3.0: The Department of Defense Strategy for Operating in Cyberspace and the Attribution Problem,” Air Force Law Review 68 (2012): 167–206; Joseph S. Nye Jr., “Deterrence and Dissuasion in Cyberspace,” International Security 41, no. 3 (January 2017): 44–71, https://doi.org/10.1162/ISEC_a_00266; Michael N. Schmitt and Liis Vihul, “Proxy Wars in Cyberspace: The Evolving International Law of Attribution Policy,” Fletcher Security Review 1, no. 2 (2014): 53–72. 552 Made more difficult with the use of tools such as ToR (The Onion Router). One issue inherent in these practices is that individual CCI would encourage ToR; state CCI would be made more difficult by same. TOR, “The Tor Project | Privacy & Freedom Online,” TOR, 2021, https://torproject.org. 553 Bisson, “‘123456’ Remains the World’s Most Breached Password”; National Cyber Security Centre, “Most Hacked Passwords Revealed as UK Cyber Survey Exposes Gaps in Online Security”; Telford, “1,464 Western Australian Government Officials Used ‘Password123’ as Their Password. Cool, Cool.”


183

new or repaired cyber security software (cyber security), or even to collect intelligence on the entity

whose own attempts at collection are being subverted (cyber counterintelligence). However, the

interconnected nature of cyber intelligence, counterintelligence and security is also a vulnerability

due to those same elements: if a hostile party succeeds in avoiding domestic counterintelligence

efforts, then they themselves are in a position to collect intelligence, to perform counterintelligence

activities aimed at subverting domestic intelligence efforts, and to otherwise negatively impact

domestic cyber security by planting logic bombs or further malware which can be activated in

(potential) future conflicts.

CCI technologies are not really a novel field, simply one where technology is being repurposed for

alternate ends than those for which they were designed. While it is true that actors in cyberspace

may develop programs or applications with counterintelligence purposes in mind, this is

reactionary practice to similar programs that are already in existence and operating at cross-

purposes. One effect of new technologies is the fact that counterintelligence, and CCI in particular,

are constantly on the back foot: counterintelligence is often a reactive discipline, responding to

events rather than pre-empting or anticipating them, and this is unlikely to change in the near

future given the increasing velocity of technological innovation and change. Implementation of

new technologies often supersedes any security concerns, thus requiring more of

counterintelligence practices and practitioners at a later date.554 While this means that CCI

practitioners and users are being forced to innovate almost as quickly as other parties, you cannot

guard against what you do not know. Once more, the offensively-advantaged nature of cyberspace

lends force to whichever party innovates an attack over a defence.

Practice

CCI is not uniquely within the purview of states. While states are among the greatest (and most

important) practitioners of CCI practices, these are also available to (and utilised by) a number of

other entities in the international system, and in the upcoming sections on tactical and strategic

CCI, I have generalised these entities into three subgroupings for the purposes of this thesis: states,

organised groups, and individuals. I further explore these aggregates in the final section of this

554 Mark Fenwick, Wulf A. Kaal, and Erik P. M. Vermeulen, “Regulation Tomorrow: What Happens When Technology Is Faster Than the Law?,” American University Business Law Review 6, no. 3 (2016): 561–94, https://doi.org/10.2139/ssrn.2834531; Camino Kavanagh, “New Tech, New Threats, and New Governance Challenges: An Opportunity to Craft Smarter Responses?,” Carnegie Endowment for International Peace, August 28, 2019, https://carnegieendowment.org/2019/08/28/new-tech-new-threats-and-new-governance-challenges-opportunity-to-craft-smarter-responses-pub-79736.


184

chapter, enumerating subtypes of actor within each actor class and how they might or should use

CCI.

While many CCI practices are generalizable to the particular subgroup and/or all users or

cyberspace, it can also be said that the practice of CCI is different for every one of these entities.

For example, while individuals and states both have reasons to protect private information, the

information under consideration and the lengths to which the two entities would go to ensure that

security are different. More importantly, when you disaggregate the groupings and look at

individuals within the subgroup, each of those entities (two states, two groups, two individuals,

etc.) would undertake security and counterintelligence practices in a different manner, according

to a unique set of principles, and with a specific set of dedicated resources. While states are the

principal focus of this research, it is important to realise that conclusions drawn about the

importance, efficacy, and utility of CCI practices do not just apply to states, which, according to

Nina Kollars, “are not the primary agents in cyberspace.”555 In addition, conflict in cyberspace has

not been, is not, and will not be limited to state contra state situations: in cyber conflict where the

state may be one of the involved parties, it is quite likely that the opposing party will be an

individual or an organised group, and, as such, a general understanding of the ways in which

alternate entities engage in CCI practices is advised. It is also quite likely (and in fact more

common) that cyber conflict will not involve a state at all, though state representatives may find

themselves involved in a cyber conflict or exploitative situation irrelevant of their professional

status.556

Further to this, note that counterintelligence (including CCI) practices become more important

the closer an individual or organised group/institution is to a critical institution, such as

government or the military; as the term counterintelligence suggest, the idea is to prevent hostile

or opposing parties from collecting intelligence that may be employed against yourself or (perhaps)

your allies. This doesn’t necessarily even involve specifically ‘cyber’ practices and is in part

dependent on the human element. The uptake in the popular use of ‘wearables,’ or cyber-enabled

555 Kollars, “Cyber Conflict as an Intelligence Competition in an Era of Open Innovation.” 556 When the Democratic Republic of North Korea (CPRK or North Korea) hacked the Japanese company Sony, for example, the US government responded. See BBC News, “Sony Pays up to $8m over Employees’ Hacked Data”; David Brunnstrom and Jim Finkle, “U.S. Considers ‘proportional’ Response to Sony Hacking Attack | Reuters,” Reuters, December 19, 2014, https://www.reuters.com/article/us-sony-cybersecurity-northkorea-idUSKBN0JW24Z20141218; Ellen Nakashima, “Why the Sony Hack Drew an Unprecedented U.S. Response against North Korea,” Washington Post, January 15, 2015, sec. National Security, https://www.washingtonpost.com/world/national-security/why-the-sony-hack-drew-an-unprecedented-us-response-against-north-korea/2015/01/14/679185d4-9a63-11e4-96cc-e858eba91ced_story.html.


185

devices that track variables such as heart rate, calories burned, and distance travelled, and are also

GPS-enabled, have added to the security risk of the military for example. A recent case illustrated

the damage potential of a concentration of such devices in a specific geographic locale; US military

personnel using Fitbits or other fitness trackers quite literally provided a map of a classified military

base because they uploaded their data to ‘the cloud’ and, by aggregating that data, these devices

provided a highly accurate map of that base.557 This was mitigated on discovery but not before a

highly-publicised series of tweets announcing the dangers of such devices that previously had not

been considered (complete with photographs and diagrams of the base in question) was

circulated.558 Beyond the importance of protecting personally identifiable information and

movement data, there is the ongoing potential that disinformation campaigns by hostile actors will

be utilised against all of the classes of actor identified in this chapter, and the relationships of those

actors with each other will affect both the targeting of disinformation campaigns, which can be

very specific, and the potential severity of the consequences of those campaigns. Practicing CCI

will enable earlier and more efficient mitigation of disinformation, which will increase, in turn, the

resilience of the democratic state as well as the audience itself.

The succeeding sections will offer definitions and discussions on both the utility classifications and

the operational classifications offered in this research as elements of a basic typology of CCI. It is

crucial to understand how, why, and in what context different CCI practices are used or misused

in order to further our understanding of the discipline as a whole, and to contribute to the

elucidation and education concerning the general fields of intelligence and counterintelligence.

This typology is by no means exhaustive, and is intended to be a foundation of future research as

well as an integral pillar of the understanding of CCI, which this thesis is designed to provide.

A Typology of Cyber Counterintelligence

In the modern era, the state is far from the only actor innovating, exploring, and employing CCI

practices. As said, whether consciously or not, most people with access to a cyber-enabled device

employ CCI. In its simplest forms, this includes the aforementioned password example; it can even

be such a small thing as actively covering the keypad to disguise your PIN when you use an ATM

machine to check your balance or withdraw cash. Every single person who has at any point utilised

557 Jeremy Hsu, “Strava Data Heat Maps Expose Military Base Locations Around the World,” Wired, January 29, 2018, https://www.wired.com/story/strava-heat-map-military-bases-fitness-trackers-privacy/. 558 Hsu; Nathan Ruser, “Strava Released Their Global Heatmap,” Twitter, January 28, 2018, https://twitter.com/Nrg8000/status/957318498102865920; Jon Russell, “Fitness App Strava Exposes the Location of Military Bases,” TechCrunch (blog), January 29, 2018, https://social.techcrunch.com/2018/01/28/strava-exposes-military-bases/.


186

a machine that interfaces with cyberspace infrastructure is almost certain to have employed, to

some degree, CCI practices. You don’t have to be actively aware of this to do it. However, there

are levels to CCI practices; they are not all the same, and not all practices will suit all problems.

How an actor approaches CCI dovetails with the threat elevation analysis framework detailed in

chapter three – if cyberspace is viewed as an increasing threat, for example, the expectation is that

there would be a greater emphasis on active and proactive CCI by state actors, and potentially by

groups and individuals depending on their understanding and context. If an actor is confident in

their achievement of cyber security or resilience and has managed to repel or deter cyber-attacks

and exploitation attempts, it may be that there is a threat attenuation process, be that de-

securitisation or de-riskification, and the expectation would be that management would continue

without further innovation or investment. In this context, we might expect to see only passive or

active CCI practices. The maturity of an actor’s approach to cyber security and CCI practices will

also reflect in whether there is an overall strategic understanding and operationalisation at play, or

whether that actor is still engaging in reactionary CCI on a tactical level.

In this section, I identify three broad utility classifications: passive, active, and proactive. It is

important to note that none of these three categories are mutually exclusive, and, in fact, any actor

operating in cyberspace can employ any combination thereof. In addition to defining each of these

classifications, I will give examples of the practice under consideration, and the particular

technologies employed at each level and by the different identified subgroups. This is not to say

that these classifications, practices or technologies are mutually exclusive: on the contrary, they

can be mutually reinforcing, and are employable in any given combination. It may be helpful to

consider the utility classifications as a circular spectrum rather than a stepladder: a particular

technology or practice in the hands of one entity will be of different use and efficacy than in the

hands of another, but (theoretically) under no circumstances would it be useless.559 In addition to

the utility classifications, in later sections I will also offer two broad operational classifications,

identifying and examining tactical CCI and strategic CCI. Broadly speaking, most entities will at

some point utilise one or both, whether consciously or unconsciously. The utility classes of CCI

interrelate with the operational classes, so it is possible to have tactical proactive CCI and strategic

active CCI. As with the utility classes, the operational classes CCI are mutually reinforcing rather

than mutually exclusive, though unlike the utility classes, the operational ones are more likely to

be observed at the organised group/institution or state level, rather than the individual level.

559 Consider a dartboard: as long as the player is skilled enough to land the dart on the board, anywhere on that board will be worth points. Some areas are worth more (higher degree of utility) and some are worth less (lower degree of utility) but no matter where the player lands the dart it will be worth something (degree of security).


187

Passive, Active, Proactive Intelligence Collection

In order to best understand both the various types of counterintelligence practices that apply to

actions and intelligence collection in cyberspace, it is first necessary to understand the nature of

those actions themselves. Making a study of the way that various actors (hostile or otherwise)

utilise cyberspace will offer insight into (potential) current and future threats, and may aid in the

development of security models. If we are able to discover the manner of utilisation and/or the

method by which operations in cyberspace are undertaken, it may then be possible to discover the

motivation behind the action as well. It is important, then, to examine and analyse cyberspace

operations on a case-by-case basis in order for the aggregate classification of actions to be able to

offer specific and utilisable conclusions. Counterintelligence practices do not exist without there

first being intelligence actions and collection efforts, so the aggregate model discussed here refers

mainly to intelligence collection efforts and their broad categorisation into passive, active, or

proactive. Following a brief examination of each of these categories, and a discussion of the

potential actions within each category, I will continue with an exploration of how these aggregate

categories may also be applied to counterintelligence actions in cyberspace and what these actions

may look like.

Passive

Passive collection in cyberspace refers to the broad class of actions by which an entity is engaged

in “the continual absorption of information by the actor of freely available information”.560 That

is to say, there is no pursuit of information by the entity in question: all information arrives freely

and without (undue) influence by the intelligence ‘collector’. In other words, raw information

received by passive collection in cyberspace could also be referred to by the intelligence phrase

‘background noise’.561 Passive collection in cyberspace could include (but is in no way limited to)

reading news headlines as you scroll through social media feeds; listening to radio news in the car

or on the train during your daily commute (see Table 1 – Passive, Active, Proactive Intelligence

Collection).562 Passive collection is differentiated from active collection in large part by intent. It

involves those measures or actions which are taken sub- or unconsciously, or without active

attention being paid – without the intent to collect information.

560 O’Connor, “Cyber Counterintelligence,” 117. 561 Background noise is an intelligence term, also known as ‘chaff,’ which refers to the abundance of information that is collected or available which is not usually directly relevant to the collector’s interests, but becomes apparent in the course of operations anyway (as opposed to the ‘wheat,’ or valuable intelligence). Lowenthal, Intelligence: From Secrets to Policy, 87. 562 Original form appeared in O’Connor, “Cyber Counterintelligence,” 118.; updates made to the current table.


188

Table 1 – Passive, Active, Proactive Intelligence Collection

Active

Moving beyond passive collection, active (intelligence) collection in cyberspace is herein

understood as “the pursuit of freely available information concerning a specific topic of

enquiry”.563 Whereas passive collection involves the ad hoc and largely unconscious absorption and

filtering of raw information, active collection requires that not only that conscious effort be made

on the part of the entity in question, but also that there be a specific end toward which the entity

is working. An important facet of this category is the nature of the intelligence which is collected:

it cannot be, in any way, restricted, classified or otherwise secret. Active intelligence collection, like

passive intelligence collection, can only be employed in the pursuit of freely available information

but, to make it distinct from passive collection, requires a specific intent of discovery. Collection

efforts may include (but are not restricted to) searching (for) specific social media accounts; seeking

out and exploiting particular news sites, sources, or feeds; interviewing specific individuals (from

which the resulting intelligence is not restricted access); and contacting particular individuals about

specific topics in search for further sources.564 The practice of dragnet surveillance is considered

active collection because the information is gathered with the intent of having it available for

intelligence, law enforcement and security actors to use.

563 O’Connor, 116. 564 O’Connor, 117. Information which is paywalled but is created for the purpose of dissemination, such as scholarly works written for journals or journalistic reporting that requires a subscription for access, is still considered freely available as that access if not subject to clearance.

Passive Collection Active Collection Proactive Collection

Possible Actions Checking recent newsfeeds on social media. Reading news headlines. Listening to radio news in the car.

Searching for specific social media accounts. Searching for specific news items or searching particular news sites. Interviewing specific individuals.

Hacking private accounts. Stealing information. Writing/using malware. Utilising keyboard loggers. Cookie distribution and tracking. Decryption of communications and data.


189

Proactive

The highest tier of the CCI model and the category that presents the highest degree of (potential)

danger to a targeted entity, proactive collection in cyberspace refers to those actions which are

undertaken in order to acquire or reveal restricted, classified, or otherwise secret information that

efforts have been made to conceal; or, information that would by common understanding be

considered private, such as personally identifiable information (PII).565 Proactive intelligence

collection in cyberspace usually involves actions which have become fairly well known through

popular media, such as (but not limited to) the hacking of private accounts (email, social media,

various websites); the theft and/or distribution of private information (health/medical, financial);

the development and creation of malware designed to obtain protected information; and the

decryption of communications and data.566 Proactive collection in cyberspace is arguably most

highly utilised by states or state-supported parties due to the expense and complexity of the above-

mentioned actions. In addition, the fact remains that the modern state has both more to protect

in cyberspace and also more to discover (for the purposes of self-interest) than most other active

entities operating in cyberspace today.

Passive, Active, Proactive CCI

The aggregate utility classifications in this section have so far referred to intelligence collection

efforts, largely because it is those actions that counterintelligence operations must be designed to

thwart. Now that we have a basic understanding of the typology of intelligence collection in

cyberspace, we can apply the aggregate model to CCI practices, and begin to understand how these

actions and their potential motivations impact the discipline and practice of CCI itself. The next

sections will discuss passive, active, and proactive CCI before moving on to the operational

applications of CCI.

Passive CCI

As presented here, passive CCI is the set of practices undertaken by individuals on a regular basis

that maintain or improve their cyber security, which they may or may not realise are counterintelligence

practices. A large part of the aggregate model of utility classification used here involves intent.

Passive CCI includes those measures which are undertaken without the specific intent to engage in

565 O’Connor, 117. It should be noted that there are multiple conceptions of what constitutes a breach of privacy. While beyond the remit of this thesis, see Adam Henschke, “Privacy, the Internet of Things and State Surveillance: Handling Personal Information within an Inhuman System,” Moral Philosophy and Politics 7, no. 1 (May 26, 2020): 123–49, https://doi.org/10.1515/mopp-2019-0056. 566 O’Connor, “Cyber Counterintelligence,” 117.


190

CCI practices. They include those practices which, sub- or unconsciously, thwart passive

intelligence collection, such as choosing not to post personal information or family photos on

social media (see Table 2 – Passive, Active, Proactive Cyber Counterintelligence). In keeping with

the general practice of analogising cyber practices and events with the medical field, passive CCI

might be akin to passive bodily functions such as blinking or breathing; they are things that we as

individuals do without actually thinking about the action or the purpose. We simply perform the

function.

Table 2 – Passive, Active, Proactive Cyber Counterintelligence

Younger generations, or those individuals in professions which educate them about ‘cyber hygiene’

practices are more likely to have habituated themselves to such practices, having either grown up

with, or been accustomed to, constant utilisation of cyber-assisted or -enabled devices. Such

practices form the foundation of what we would consider basic cyber security, or what has been

termed cyber hygiene.567 Such practices would include not entering passwords in front of people,

or in such a way that it becomes obvious what your password is; changing your password regularly;

not using the same password for multiple accounts; not using easily guessed passwords;568 logging

out of an account once you have finished using it instead of just closing the browser window;

deleting (unopened) suspicious emails or emails from unknown people; and password or PIN-

567 Australian Cyber Security Centre, “The Commonwealth Cyber Security Posture in 2019.” 568 Such as ‘password’ (or similar), ‘12345678’ (or similar), or your name/pet’s name and date of birth.

Passive CCI Active CCI Proactive CCI

Possible Actions

Covering your password when entering it on a shared computer Logging out of accounts when not actively using them Deleting (unopened) suspicious emails Deleting (unopened) emails from unknown persons Password or PIN-protecting your devices

Regularly changing device and account passwords Logging out of operating accounts on shared computers Reducing the use of/avoiding public WiFi Enabling firewalls on computers Concealing of (personal) information Verification of information found through secondary or tertiary sources

Engaging in honeypot operations to trap adversary actors Creation of purpose-built software for espionage or exploitation ‘Poisoning the well’ Hack-backs and reversal/implementation of exploits Identification and shaming campaigns when disinformation is identified


191

protecting your devices. These are actions that many people undertake every single day, most

without realising that they are, in fact, employing CCI practices in their normal life. Unfortunately,

many people do not employ even passive CCI and thus we still have people who use ‘password’

as their password, still click on attachments in emails from unknown people, and do not password

or PIN-protect their devices, among several other common and basic mistakes.569

Education in the use, misuse, and abuse of cyberspace is at best nascent, and at worst non-existent.

Much like the rest of cyberspace, education in relation to the cyber domain has been ad hoc and

largely disorganised, more a practice of dealing with ‘it’ when it occurs, whatever ‘it’ may be,

according to situation and context. Again, the offensively-advantaged nature of cyberspace

becomes relevant here because those who seek to exploit cyberspace seem to become familiar

with/more educated in the technical infrastructure of cyberspace and cyber-enabled technologies

as that knowledge results in exploitation advantage – consider the hunt for, and use of, zero-day

exploits, and the construction and use of botnets.570 As cyber defence is in large part reactionary,

there tends to be a lag in defensive knowledge, education, and innovation. In addition and as a

defensive mechanism, those seeking to exploit cyberspace profitably (and at length) will learn and

employ cyber security and CCI practices by necessity. As such, I contend that there are a greater

number of individuals and groups with the ability to exploit cyberspace through various means

than there are those who are familiar with even the most passive of CCI practices. This adds to

the offensive advantage currently dominant in the cyber domain.

At risk of repetitive statements, this is why education and research in the area of CCI are not only

important, but crucial to our security at various levels. The more the individual and the population

at large know about the security practices that they can employ to increase both their own security

and the security of the state at large, the likelier it will be that as a population, passive CCI practices

will enable greater resources to be put toward large issues of security concern. Eventually, practices

and processes that must initially require a greater percentage of effort and mindfulness, such as

protecting your password, changing it regularly, employing common sense when checking your

569 Bisson, “‘123456’ Remains the World’s Most Breached Password”; National Cyber Security Centre, “Most Hacked Passwords Revealed as UK Cyber Survey Exposes Gaps in Online Security”; Telford, “1,464 Western Australian Government Officials Used ‘Password123’ as Their Password. Cool, Cool.” 570 A compromised device is often called a zombie, as the actions taken by the device are ‘mindless.’ A botnet is a network of compromised devices, the combined computing power of which can be directed at targets by the botnet controller. See Garrett M. Graff, “The Mirai Botnet Was Part of a College Student Minecraft Scheme,” Wired, December 13, 2017, https://web.archive.org/web/20180210043047/https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/; Norton, “What Is A Botnet?,” Norton, 2019, https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html.


192

emails, and not posting compromising personal information in widely accessible public fora, will

become subconscious habit rather than an effortful requirement. Ideally, once a population is

habituated to such practices, security in general is improved as those people become both more

educated and more aware of the dangers that they expose themselves to when mindlessly utilising

cyberspace and cyber-enabled or -assisted technologies. A greater degree of passive CCI, utilised

by a greater percentage of the population, frees up state resources that previously may have been

required for mitigation in the public domain, to be turned to issues with a greater relevance or

danger to national or international security concerns.

One of the drawbacks of passive CCI is, of course, that no matter the degree of public education,

there are those individuals who either refuse to employ them, or who, despite willingness and best

intention, are unable to do so. This is an unavoidable pitfall of every foray into mass education on

a particular (security) practice, and one that, to the best of my knowledge, has yet to be successfully

prevented or mitigated. Public outreach can be difficult in the best of circumstances, and in an era

where political divides and clashing ideologies are greater than in recent memory that difficulty

may be exacerbated. Moreover, misinformation and disinformation is constantly being introduced

into the information environment – studies have demonstrated that even when individuals are

shown proof that their beliefs may be based in false information, those beliefs are either more

likely to solidify or will continue to affect their future perceptions even when accepted as false.571

Audience (that is to say, public) education on the identification of misinformation and

disinformation is a necessity for highly networked societies, and will be explored further in chapter

six. It must also be noted, however, that as useful as passive CCI practices are to the individual

and (eventually) to the collective security, unless practiced at scale they will not contribute directly

and specifically to security at the state level, and thus to national and international security in the

cyber domain.

While an overarching international institution dedicated to cyber security is unlikely in the current

political climate, the next stage of CCI practices include those actions which can be directly linked

to a higher degree of security. Active CCI is a step higher than the passive CCI practices discussed

in this section, and require a greater degree of conscious effort than those which are, by definition,

571 This is a concept known as a belief echo - where information proven false still affects perception and filtering of information received in future, or opinions around that subject. Jianing Li, “Toward a Research Agenda on Political Misinformation and Corrective Information,” Political Communication 37, no. 1 (January 2, 2020): 125–35, https://doi.org/10.1080/10584609.2020.1716499; Emily Thorson, “Belief Echoes: The Persistent Effects of Corrected Misinformation,” Political Communication 33, no. 3 (July 2, 2016): 460–80, https://doi.org/10.1080/10584609.2015.1102187.


193

unconscious or “passive”. The next section will take the conversation one step further, by defining

and discussing the concept of active CCI, and how practices underneath this banner may be

employed by the individual, the organisation and the state in pursuit of a greater degree of security.

Active CCI

Active CCI measures differ from passive measures in one major way: they are undertaken

consciously and in pursuit of a particular goal, against a perceived threat. As noted above, intent is a

crucial element of utility classification, and is a necessary part of active CCI. For the purposes of

this thesis, the particular goal of active CCI is a greater degree of security no matter the entity in

question; the perceived threat in a specific event, actor, or outcome which is preferably avoided.

In this respect, the categorisation of CCI actions mirrors the aggregate categorisation of

intelligence collection in cyberspace as discussed above. If active intelligence collection measures

are those which are undertaken consciously and in pursuit of a specific goal, then active CCI must

be those practices which are consciously and actively pursued in order to counter and deny both

passive and active intelligence collection attempts by other entities. The section above on active

intelligence collection in cyberspace refers also to the fact that the field of information, to which

these categories apply, should not be restricted in nature. It should not be classified or otherwise

actively protected by measures that would require significant (and potentially illegal) actions to

subvert. Following from the cyber hygiene analogy,572 for example, active CCI measures would be

akin to being immunised; seeing the doctor regarding any concerns; washing your hands after

coming into contact with unfamiliar objects or substances. In unrelated analogies, active CCI

measures could also be akin to locking all of your doors and windows at night; setting the parental

controls on Netflix; and hiding your friends’ car keys when they have been drinking. Again, what

sets these apart from the passive actions is that they are consciously chosen, and done so in

anticipation of, or awareness of, a particular threat or threats. As a further note, an active CCI

practice, once habituated, can become unconscious, and then can become passive. In the ideal

scenario, a populace, educated in active CCI, soon internalise the CCI activities, and thus there is

widespread, dynamic passive CCI.

In real terms, active CCI measures include many security practices that you may previously have

heard being encouraged or enforced by employers, friends or family members versed in cyber-

enabled technologies. Practices may include (but are not limited to): changing your device and

account passwords every three months; logging out of your operating account; reducing or

572 Australian Cyber Security Centre, “The Commonwealth Cyber Security Posture in 2019.”


194

completely avoiding the use of public WiFi; deleting (without opening) emails from unknown or

suspicious senders; utilising firewall software (built-in or purchased). For larger organised groups

or states, active CCI measures will of course be on a larger scale, but many of the practices will be

the same or similar to those of individuals. The important part is that the practices are undertaken

purposefully, with the explicit intent of avoiding intelligence gathering by other parties and

protecting your own information and data, without entering into more proactive measures, which

will be discussed below.

The state, it must necessarily be argued, pursues active CCI as a matter of course in the

contemporary era. We saw through the analysis of national security documentation in chapter four

that the UK has successfully riskified the cyberspace risk to assets, and in the period 2008-2018

began to engage intelligence and security services in active cyber defence. Because intelligence

operations like espionage can be undertaken at any time, with any goal, by any party, the state must

be always constantly on guard against those intelligence operations. This means that everyone in

the employ of the state (and particularly those of the intelligence and security agencies), each

organised group working within the hierarchy of state bureaucracy, as well as the Executive that

represents that state as a single functioning entity, must all constantly and consistently employ

active CCI measures and practices. Unlike the successful riskification of assets, the UK over the

analysed period failed to appropriately elevate the threat to and from audiences in consideration

of their national cyber security policies. I suggest here that as a representative of its constituent

members, the state is responsible for the overall ‘herd immunity’ of the population against

intelligence collection and (dis)information operations by foreign and potentially hostile entities.

As such, the state relies on both organised groups (within and without the state hierarchy) and on

individuals to contribute to herd immunity against malicious cyber-attacks or operations, to reduce

both the overall investment and the overall security costs that the state necessarily bears in assuring

its own security.

Organised groups will also seek to undertake measures and practices that will further secure the

information and data, as well as that of their constituent members, when undertaking active CCI.

Unlike individuals, whose only security concern is their own, organised groups must undertake to

ensure two levels of security: individual security, as members of the group; and, at the second level,

group security as an aggregated actor. While many of the measures and practices will be the same

as those undertaken by individuals, organised groups must scale up their efforts without verging

on the more proactive measures (to be discussed in the next section) in their active CCI. In addition


195

to contributing to the collective resilience of both the in-group members (further shoring up the

personal security of those individuals), the organised group, in pursuing active CCI measures,

contributes to the collective resilience and security of the general population and the state, thereby

reducing the weaknesses that that state must cover at the national, regional, and international levels.

For the individual, unlike the (occasionally subconscious or even unconscious) measures that may

be taken without actively being aware of what is being done, active CCI is just that: active. As

mentioned above in general terms, one of the major differences between passive CCI and active

CCI is the “knowingness” of the practice. The individual should knowingly, and meaningfully,

seek to increase their levels of cyber security by undertaking those measures which, to them, are

not unreasonable to secure their information, and which will not deter them from using their

technologies and equipment as they ordinarily would. Individual active CCI will, to follow the

global health analogy, contribute to ‘herd immunity’; that is to say, every individual that actively

seeks to employ active CCI measures in their own lives will contribute to the overall cyber security

of both the general population and the overall state.

The overall degree of security that is offered state, group, and individual active CCI measures is

something that is almost impossible to quantitatively measure, due to the multitude of parties

involved and the many practices that could potentially be termed active CCI. Suffice to say that

the more an individual or group pursues their security by actively and purposefully instituting

measures to deny, repel, or otherwise thwart hostile or malicious activities in cyberspace, the better

the overall state immunity to such activities will become, as those activities will become more costly

to the exploitative entity. The next section will discuss and examine the aforementioned concept

and measures of proactive CCI, at each of the levels of analysis analysed in this thesis.

Proactive CCI

Proactive CCI is differentiated from active CCI both in the scale of effort involved, and also the

variety of practices that constitute it. With active CCI, the goal is to increase the level of security

for a given entity by purposefully instituting and practicing measures that will deter, deny, or repel

activities targeted to gather information through cyberspace, but is contained to those measures

which do not require significant effort and do not require specialised skills of software. Proactive

CCI, however, requires both specialised skill and specialised – sometimes occasionally unique,

purpose-built – software that are designed not only to deter, deny, and repel but to actively pursue

the would-be exploitative parties, and undertake to fold back their operations, potentially ‘flipping’


196

them into intelligence-gathering programs of one’s own. Proactive CCI straddles the line between

defensive action and offensive action, including targeting malicious actors. In other instances,

proactive CCI may look like poisoning the well before an attack. A good example of this kind of

proactive CCI is the alleged insertion of false information into their own records by French

authorities in the lead-up to the 2017 election, also known as a ‘cyber-blurring’ strategy.573

Convinced that political actors would likely be the targets of hostile hackers, when President

Macron’s campaign staff were attacked and data exfiltrated and ‘leaked’ in the days preceding the

election, Macron’s head of digital operations cast doubt on the accuracy and utility of any data

leaked because it contained false information planted by the digital operations team.574 This

rendered the information far less valuable as there was no way to ascertain veracity of data, and

deflected attention to the alleged attacker (Russia).575

Proactive CCI is characterised by the sensitive and often classified nature of both the targets and

the defence mechanisms. To follow a public health analogy, proactive CCI would be akin to a

national, compulsory immunisation scheme in anticipation of or during a pandemic outbreak.

Alternately, proactive CCI would be akin to targeted chemotherapy and radiation treatments of

cancer patients. The chosen measures are undertaken with knowledge of the specific threat and a

strategic understanding of how each measure will aid in mitigating that threat. Unlike passive and

active CCI, which are solely defensive, however, proactive CCI measures are also offensive in

nature, including the cyberspace equivalent of the poisoning wells in hostile territories, or the

planting of false intelligence to see where exactly a leak has sprung. Proactive CCI is the pursuit of

security through any and all means necessary, including offensive measures generally attributed to intelligence rather

than counterintelligence operations.

Given the nature of proactive CCI, the wholesale institution of its practice is generally

attributed/attributable to the state, given the financial, technological, and human resources

required to properly pursue it. However, some individuals and organised groups (increasingly,

multinational and transnational corporations such as Google, Apple, Facebook and Microsoft)

573 A cyber-blurring operation distorts the value of hacked data by introducing false information that gets exfiltrated with the authentic information, ‘blurring’ the value of all data because accuracy is uncertain for any of it. Adam Nossiter, David E. Sanger, and Nicole Perlroth, “Hackers Came, but the French Were Prepared,” The New York Times, May 10, 2017, sec. World, https://www.nytimes.com/2017/05/09/world/europe/hackers-came-but-the-french-were-prepared.html. 574 Nossiter, Sanger, and Perlroth; Nicole Perlroth, “Russian Hackers Who Targeted Clinton Appear to Attack France’s Macron,” The New York Times, April 25, 2017, sec. World, https://www.nytimes.com/2017/04/24/world/europe/macron-russian-hacking.html. 575 Boris Toucas, “The Macron Leaks: The Defeat of Informational Warfare,” Center for Strategic & International Studies, May 30, 2017, https://www.csis.org/analysis/macron-leaks-defeat-informational-warfare.


197

have the technical capacity and resources necessary to apply proactive CCI to their security, and

so I will discuss each level of analysis as I have for both passive and active CCI.

The state is potentially the only actor in cyberspace to whom proactive CCI activities are not only

entirely necessary but considered a native part of holistic security. Moreover, in many jurisdictions,

the state is the only actor that is legally permitted to engage in proactive CCI. The low barrier to

entry for cyber conflict and exploitation, as well as the perception among states that cyberspace is

a natural alternative to kinetic conflict, results in a contested domain that is both offensively

advantaged and within which a variety of actors engage in attack and exploitation.576 Engaging in

proactive CCI activities not only contributes to the resilience and security of the state, but also to

the overall understanding of the national and international threatscape within which states must

operate. Responsible for the general security of the state and its constituent members, the security

agencies of the modern state actively and purposefully create and pursue avenues and measures of

proactive CCI.577 Such measures as have been publicised by whistleblowers and leakers tell us that

not only is the state the constant target of intelligence-gathering activities on the part of foreign

entities, but that the state is actualising proactive measures of CCI in an attempt to negate those

activities, and regain the advantage in cyberspace. While the publicised programs have instigated

debate on such issues as privacy and the legalities concerning the constitutive elements of these

proactive CCI programs, it cannot be understated that without the CCI measures being instituted

and pursued by governments, the loss of intelligence and of intellectual property would be

astronomically higher than current levels. Proactive CCI is an integral part of national security in

the contemporary international system, particularities and legalities according to national and

international law notwithstanding.

Organised groups face many of the same challenges of proactive CCI as do individuals, and it

should be noted that those groups that have publicly proven capable of proactive CCI have been

in turns vilified and celebrated.578 Corporations, for example, have proved to be the constant target

of intelligence-gathering and hostile cyber operations and have a demonstrated ability to employ

576 Healey and Jervis, “The Escalation Inversion and Other Oddities of Situational Cyber Stability”; Kollars, “Cyber Conflict as an Intelligence Competition in an Era of Open Innovation.” 577 Consider the NSA PRISM program. Greenwald, No Place to Hide: Edward Snowden, the NSA and the Surveillance State; Harding, The Snowden Files: The Inside Story of the World’s Most Wanted Man; Lempert, “PRISM and Boundless Informant”; Sottek and Kopfstein, “Everything You Need to Know about PRISM.” 578 Consider the hacking group Anonymous. See Beran, “The Return of Anonymous”; Zak Doffman, “Anonymous Hackers Target TikTok: ‘Delete This Chinese Spyware Now,’” Forbes, July 1, 2020, https://www.forbes.com/sites/zakdoffman/2020/07/01/anonymous-targets-tiktok-delete-this-chinese-spyware-now/.


198

proactive CCI measures to either protect their own information or, if unsuccessful in this respect,

to then ‘follow’ the exploitative parties for both attribution and intelligence-gathering operations

of their own.579 Organised groups are inherently more capable than individuals of designing and

deploying proactive CCI, usually being both more financially able, but also having access to a

greater number of individuals with the skills necessary to the creation and utilisation of proactive

CCI measures. Groups have a greater probability of being targeted for both volume and value of

information possessed; certainly, in the Internet age, corporations have lost significant intellectual

property to intelligence-gathering operations conducted via cyberspace by foreign entities.580

Organised groups, particularly corporations with links to or contracts with government, are highly

lucrative targets for foreign entities. However, it should be noted that given the aforementioned

undecided and problematic nature of proactive CCI, and particularly the practice of so-called

‘hack-backs’, proactive CCI on the part of organised groups can also present the state with an

entirely new set of problems, not least of which being that hacking back is typically illegal.

Individuals that pursue, or intend to pursue, proactive CCI are among the minority. They should

have specific information they wish to protect and/or conceal; they should be the target of foreign

intelligence-seeking activities or operations, or they should be (among those) actively targeting

foreign entities that represent a threat to their own security (individual or national, such as with

patriotic hackers) and thus have a decided interest in proactively pursuing exploitative factions.

They should also be able to, or have access to those individuals who have the technical capacity

to, understand, design and deploy software that will both protect their own systems and

579 Catalin Cimpanu, “FireEye, One of the World’s Largest Security Firms, Discloses Security Breach,” ZDNet, December 8, 2020, https://www.zdnet.com/article/fireeye-one-of-the-worlds-largest-security-firms-discloses-security-breach/; Kieren McCarthy, “Cybersecurity Giant FireEye Says It Was Hacked by Govt-Backed Spies Who Stole Its Crown-Jewels Hacking Tools,” The Register, December 9, 2020, https://www.theregister.com/2020/12/09/fireeye_tools_hacked/; David Neal, “Insider Reveals Details of Google Hacks,” iTnews, April 21, 2010, https://www.itnews.com.au/news/insider-reveals-details-of-google-hacks-172661; David E. Sanger and Nicole Perlroth, “FireEye, a Top Cybersecurity Firm, Says It Was Hacked by a Nation-State,” The New York Times, December 8, 2020, sec. Technology, https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html; Kim Zetter, “Report: Google Hackers Stole Source Code of Global Password System,” Wired, April 20, 2010, https://www.wired.com/2010/04/google-hackers/. 580 Jeremy Bender, “FBI: A Chinese Hacker Stole Massive Amounts Of Intel On 32 US Military Projects,” Business Insider Australia, July 17, 2014, https://www.businessinsider.com.au/chinese-hackers-stole-f-35-data-2014-7; Committee on Energy and Commerce, “Cyber Espionage and the Theft of U.S. Intellelectual Property and Technology,” Pub. L. No. 113–67, § Committee on Energy and Commerce (2013), https://www.govinfo.gov/content/pkg/CHRG-113hhrg86391/html/CHRG-113hhrg86391.htm; Franz-Stefan Gady, “New Snowden Documents Reveal Chinese Behind F-35 Hack,” The Diplomat, January 27, 2015, https://thediplomat.com/2015/01/new-snowden-documents-reveal-chinese-behind-f-35-hack/; Jennifer Runyon, “60 Minutes Investigates Chinese Cyber-Espionage in Wind Industry,” Renewable Energy World (blog), January 18, 2016, https://www.renewableenergyworld.com/wind-power/60-minutes-investigates-chinese-cyber-espionage-in-wind-industry/; Davey Winder, “Lockheed Martin, SpaceX And Tesla Caught In Cyber Attack Crossfire,” Forbes, March 2, 2020, https://www.forbes.com/sites/daveywinder/2020/03/02/lockheed-martin-spacex-and-tesla-caught-in-cyber-attack-crossfire/.


199

information and proactively deter, deny, repel, and then track and pursue hostile parties, and

perform offensive manoeuvres in response. It should be noted that in the current international

system and in many sovereign states, ‘hack-backs’, as many of these measures are called, are either

illegal or not necessarily legal, and currently being debated as a potential response.581 Thus, with

many governments prohibiting proactive CCI, it places an additional burden on those

governments to engage in CCI activities to ensure that these private targets of cyber-attacks are

protected, and the overall systems are resilient to such attacks.

The preceding sections have discussed the nature of CCI and how measures of CCI are being

deployed. The manner and method according to which CCI is pursued tells us whether the use is

tactical or strategic; operational CCI describes how CCI is actually being deployed. The succeeding

section of this chapter will examine two categories of operational CCI: tactical, and strategic.

Tactical and Strategic CCI

There are two main categories for how CCI operates; tactically, and strategically. As in the common

understanding of tactics and strategy, tactical CCI is more a micro-level view and use of the

technological capacity, whereas strategic CCI is part of the overall (war fighting) strategy of a given

(armed; exploitative; hostile; intelligence-gathering; and/or military) force. There is necessarily

overlap between these terms, as certain tools, techniques, and methods can be employed as an

operational tactic or to further the overall strategic aims of an operation, but the dichotomy is

designed to describe the overall purpose for which CCI measures and practices are deployed.

Tactical and strategic CCI is not undertaken by any single agency or military branch of the modern

state, or group. Jurisdictional ambiguity notwithstanding, operational CCI also needs to be defined

according to the intended physical location of the outcome of the operation: domestic or

international. That designation will generally lessen the number of parties that could or will be

involved in operationalising cyber activities, and reduce the ambiguity of which entity has the right

and/or responsibility of operations. Of course, in cyberspace, regardless of agency or branch

mandate, and the physical location of intended outcomes, infrastructure is such that multiple

581 Rob Lemos, “Why the Hack-Back Is Still the Worst Idea in Cybersecurity,” TechBeacon, accessed April 10, 2021, https://techbeacon.com/security/why-hack-back-still-worst-idea-cybersecurity; Gavin Smith and Valeska Bloch, “The Hack Back: The Legality of Retaliatory Hacking,” Allens: Insight, October 17, 2018, https://www.allens.com.au/insights-news/insights/2018/10/pulse-the-hack-back-the-legality-of-retaliatory-hacking/; Nicholas Winstead, “Hack-Back: Toward A Legal Framework For Cyber Self-Defense,” American University, June 26, 2020, https://www.american.edu/sis/centers/security-technology/hack-back-toward-a-legal-framework-for-cyber-self-defense.cfm.


200

national jurisdictions may also be involved, and international law then becomes a factor in security

calculations.582

I contend that CCI is deployed when and where necessary, and categorised after the fact as either

tactical or strategic in nature. Despite this, an understanding of the use and deployment of CCI

tools and techniques is, I argue, a necessary foundation of the field and study of cyberspace

intelligence and counterintelligence generally. The sections below, tactical CCI and strategic CCI

respectively, will examine and discuss the definition and nature of each category and how each is

deployed both in conjunction with traditional security practices and on their own, as separate

undertakings.

Tactical CCI

Tactical operations are comprised of those actions and engagements that, when undertaken, are

intended to introduce an advantage into the battle space: they are the “means towards the strategic

end.”583 With this in mind, tactical CCI can be understood as those actions, processes, technologies

and/or techniques that are designed and utilised in order to acquire, retain, or maintain an

advantage in specific, bounded cyber operations, and contribute to the overall security of the entity

in question and/or a specific strategic end. This section will examine where tactical CCI fits into

the threat elevation paradigm discussed in chapter three, then explore state usage of CCI before a

brief consideration of how organised groups and individuals might use CCI, and finally consider

the potential overlap of tactical CCI with strategic CCI.

Tactical CCI employs various techniques in an ad hoc manner in order to mitigate immediate

threats. Because tactical CCI is an operational response rather than a strategic preparation

(discussed in the next section) in most cases, it is assumed in this thesis that tactical CCI operations

will occur as a threat mitigation response upon identification of a specific and immediate threat:

that is to say, tactical CCI is a de-securitisation technique according to the threat elevation

framework.584 Tactical CCI thus seeks to mitigate the threats, and reduce the vulnerability to, and

harms arising from, specific cyber-attacks. Supporting this view is the understanding that

582 Allan, “Attribution Issues in Cyberspace”; American Society of International Law, “Beyond National Jurisdiction”; Schmitt and Vihul, “Proxy Wars in Cyberspace.” The Budapest Convention on Cybercrime represents a good foundation upon which to base future agreements or treaties on jurisdiction assignation in cyber-attack cases. See Council of Europe, “Chart of Signatures and Ratifications of Treaty 185.” 583 T.E. Lawrence, “Science of Guerilla Warfare,” in Strategic Studies: A Reader, ed. Thomas G. Mahnken and Joseph A. Maiolo (Oxon: Routledge, 2008), 246. 584 Threat elevation analysis is elaborated in chapter three.


201

exploitative cyber-attacks will usually be innovative, novel, and threaten the interests of the victim

actor in a way that is difficult to anticipate or prepare for, and thus beyond the bounds of ordinary

political processes. In the context of disinformation as a security threat, the tactical CCI response

to it would be the immediate measures identified by the responding actors that will manage or

mitigate immediate dangers. For example, this could consist of flagging or removing from public

fora the identified false information, and potentially identifying publicly the disinformation

operation. This carries its own dangers as the belief echoes of those already affected may result in

entrenched faith in false information, but this is the decision-making area that crosses between

tactical and strategic CCI.585

Utilisation of tactical CCI is expected to change according to the aggregate group under

examination and the actor’s context within that group, i.e. a small agrarian state with limited

widespread connectivity vs. a small, highly connected states, or a six-person organisation/business

vs. a 2,000-person organisation/business. That said, some generalised assumptions about the

deployment of CCI teams and the utilisation of tactical CCI can be made. I will examine states,

organised groups and individuals in my overview of expected usage, though it should be noted

that given the generally active or proactive nature of tactical CCI operations, it is expected that

most observable deployment of tactical CCI will occur at the state level, or on behalf of the state

by groups or individuals. States must contend with a variety of actors in cyberspace – by examining

individuals and organised groups, we gain a broader understanding of CCI uses by, alongside, and

against states.

States

States are expected to be the aggregate group that utilises tactical CCI the most, by the sheer fact

that under the definitions offered by this thesis, tactical CCI is either active or proactive, and, as

such, should be the responsibility of the sovereign state. The state apparatus is also uniquely

constructed for the use of intelligence agencies, and these intelligence agencies are all (to various

levels) responsible for their cyber security. Some of these agencies will also be mandated to defend

against intrusions into government networks by hostile actors, and to trace those attacks: this is

where tactical CCI should be displayed. “The tactical level of war is where individual battles are

executed to achieve military objectives assigned to tactical units or task forces,”586 and contribute

to the overall security strategy of the state (or other actor) in question. Because tactical operations

585 Belief echoes are discussed further in chapter six. 586 Jason Andress and Steve Winterfeld, Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners (Waltham: Elsevier, 2011), 4. Andress and Winterfeld, 4.


202

are reactionary, and may change ad hoc during engagement, there are few actors outside states or

extremely large corporations and specialised research groups that would be technically capable or

legally able to undertake such operations.

Tactical CCI operations should not be observable in the actions of all aggregate groups identified

in this thesis. As has been stated, tactical CCI is an active or proactive form of CCI, and, as such,

is expected to be seen primarily in the security operations of states, state-affiliated groups or

individuals, or hostile actors targeting the state. Tactical CCI is suited to ad hoc, short-notice and/or

immediate-concern threats and should therefore be seen as a threat mitigation (de-securitisation)

technique rather than as risk management (de-riskification) technique. In saying that, there may at

times be overlap depending on the parties involved in, and actions required for, identified risks

and threats. The next section will continue the discussion of operational CCI with an examination

of strategic CCI. State cyber security agencies responding to ransomware attacks against either

government or civilian systems is an example of tactical CCI – identifying the ransomware,

reversing the exploit or identifying methods of working around the exploit so normal operations

can recommence, and potentially attributing the attack. The UK NCSC, for example, will provide

advice and technical assistance if requested through their incident logging portal, and provides a

list of companies certified to provide cyber incident response (CIR) in the case of ransomware.587

Organised Groups

The use of tactical CCI by organised groups is also expected to align in large part with their

relationship to the state, or to their percentage of market share in their chosen field. Corporate

groups, for example, are incentivised to increase their levels of cyber security by customer/client

feedback, and the knowledge that if they are not perceived as secure enough, their market share

might decrease. In terms of the corporate groups and their relationship to the state, certain levels

of security will be contractually obligatory to obtain contracts; without that security, corporations

lose out. In an alternate scenario, tactical CCI would be utilised by groups that are acting against

the state, or in contravention of state laws and regulations (such as hacker collectives, organised

criminal groups or terrorist organisations), and would thus require significant investment in, and

practice of, tactical CCI.

587 National Cyber Security Centre, “Mitigating Malware and Ransomware Attacks,” National Cyber Security Centre, March 30, 2021, https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks; National Cyber Security Centre, “Reporting a Cyber Security Incident,” National Cyber Security Centre, 2021, https://report.ncsc.gov.uk/.


203

One example of an organised group that could potentially employ tactical CCI measures would be

the Islamic State, or ISIS.588 ISIS had a considerable online presence and has demonstrated

considerable facility in the use of social media platforms for recruitment and propaganda.589 Terror

groups generally need to employ CCI measures in order to continue operations both in the physical

world and in cyberspace: consider the global War on Terror and the measures taken against terror

groups by a variety of states.590 Proactive cyber intelligence and counterintelligence methods and

practices in the hands of states that pursue terror groups and their members require purposeful

and extensive use of tactical CCI in order to avoid punitive measures. Not utilising such measures

would likely result in the inability of the group to operate, so the use of tactical CCI contributes to

both the overall goals of the organisation, as well as the strategic requirement of operational

continuity and capacity to engage.

Individuals

Individual use of tactical CCI will depend on several factors, not least of which is the individual’s

position relative to cyberspace and/or national or corporate security. In addition, my contention

588 Also known as IS or Daesh. 589 Imran Awan, “Cyber-Extremism: Isis and the Power of Social Media,” Society 54, no. 2 (April 1, 2017): 138–49, https://doi.org/10.1007/s12115-017-0114-0; Kyung-shick Choi, Claire Seungeun Lee, and Robert Cadigan, “Spreading Propaganda in Cyberspace: Comparing Cyber-Resource Usage of Al Qaeda and ISIS,” International Journal of Cybersecurity Intelligence and Cybercrime 1, no. 1 (2018): 21–39; James P. Farwell, “The Media Strategy of ISIS,” Survival 56, no. 6 (November 2, 2014): 49–55, https://doi.org/10.1080/00396338.2014.985436; Christina Schori Liang, “Cyber Jihad: Understanding and Countering Islamic State Propaganda,” GCSP Policy Paper (Geneva: Geneva Centre for Security Policy, 2015), https://www.jugendundmedien.ch/fileadmin/PDFs/anderes/schwerpunkt_Radikalisierung/Cyber_Jihad_-_Understanding_and_Countering_Islamic_State_Propaganda.pdf. 590 Avril McDonald defined the War on Terror as “a multi-faceted counter-terrorism campaign, some aspects of which involve the use of military force, most of it carried out in States [sic] where there is no armed conflict, although aspects of the counter-terrorism campaign assume the characteristics of armed conflict where the US attacks a State [sic] considered to be harbouring or assisting Al Qaeda…” Avril McDonald, “Defining the War on Terror and Status of Detainees: Comments on the Presentation of Judge George Aldrich - ICRC,” Humanitäres Völkerrecht (1, 14:16:41.0), https://www.icrc.org/en/doc/resources/documents/article/other/5p8avk.htm. See also Council of Europe, “Council of Europe Counter-Terrorism Strategy 2018-2022,” Council of Europe | Committee of Ministers, 2018, https://search.coe.int/cm/Pages/result_details.aspx?ObjectId=09000016808afc96; Council of Europe, “Country Profiles on Counter-Terrorism Capacity,” Council of Europe | Counter-terrorism, 2021, https://www.coe.int/en/web/counter-terrorism/country-profiles; Dirk Haubrich, “September 11, Anti-Terror Laws and Civil Liberties: Britain, France and Germany Compared 1,” Government and Opposition 38, no. 1 (ed 2003): 3–28, https://doi.org/10.1111/1477-7053.00002; Eva Steiner, “Legislating against Terrorism-The French Approach,” Lecture (London: Chatham House, 2005), https://www.chathamhouse.org/sites/default/files/public/Research/International%20Law/ilp081205.doc; United Nations, “Counter-Terrorism Committee,” United Nations Security Council Counter-Terrorism Committee, 2021, https://www.un.org/sc/ctc/; United Nations Security Council, “20 Years after Adopting Landmark Anti-Terrorism Resolution, Security Council Resolves to Strengthen International Response against Heinous Acts, in Presidential Statement,” United Nations Meetings Coverage and Press Releases, January 12, 2021, https://www.un.org/press/en/2021/sc14408.doc.htm; United States Department of Homeland Security, “Counterterrorism Laws & Regulations,” Department of Homeland Security, June 4, 2009, https://www.dhs.gov/counterterrorism-laws-regulations; United States Department of Justice, “The USA PATRIOT Act: Preserving Life and Liberty.”


204

is that tactical CCI is an active or proactive action and thus outside the operational or actionable

reality of the general population. I would expect that tactical CCI would be used mostly by

individuals with significant knowledge of and interest/expertise in cyber security, such as

consultants; contractors; hackers (any variety); or criminals. As such, I would also expect that most

individuals using or intending to use CCI would be in some respect connected to state security

apparatuses through contracting or consultancy, or, by use of these practices, avoid state security

apparatuses, as is the case with hackers or criminals working against the state/within the state

against other actors.

Patriotic hackers are one example of the type of individual who may need to engage in tactical CCI

practices. Patriotic hackers are those individuals who, while not contracted by or employed by the

state to whom they declare allegiance, will undertake cyber-attacks on behalf of that state.

According to Michael Dahan, patriotic hackers are “more willing to “cross the line” into criminal

activity, the purpose being to inflict as much damage as possible upon the enemy. The patriotic

hacker seems to drift between “defender of the homeland” to cyber-criminal and back. There is

no “ethic” for the patriotic hacker beyond that of nationalism, no manifesto beyond that of

patriotism, no code of conduct beyond maximum damage.”591 Upon a perceived insult or threat

to the state, and without specific instruction or support, hackers will undertake to inflict damage

upon the identified enemy. In order to avoid security measures or retaliation, hackers will engage

in tactical CCI measures intended to reduce the likelihood of punitive measures against them. One

concern is that patriotic hackers will one day cause enough damage to incite an international

incident; at the time of writing, this has not yet occurred. A typical example of patriotic hacking is

to deface government websites,592 as with two hackers indicted in the US in 2020 for a defacement

campaign against US government websites in retaliation for the death of Iranian General Qasem

Soleimani in January 2020.593

Strategic CCI

Strategic operations are those which are designed and implemented in order to contribute to the

overall benefit of the actor, the assumed goal of that actor being victory over the opponent.

Whatever the decided strategic end of that actor, multiple actions have been designated as

591 Michael Dahan, “Hacking for the Homeland: Patriotic Hackers Versus Hacktivists,” in Proceedings of the 8th International Conference on Information Warfare and Security: ICIW 2013, ed. Doug Hart (Denver: Academic Conferences Limited, 2013), 56. 592 Andress and Winterfeld, Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners, 197. 593 Cimpanu, “FireEye, One of the World’s Largest Security Firms, Discloses Security Breach.”


205

necessary in order to fulfil what that actor sees as the requirements of victory in a given

engagement: taken together, these actions (and they manner in which they will be accomplished)

form the strategy of that actor.594 With this general understanding of strategic operations in mind,

strategic CCI can be understood as those actions, processes, technologies and/or techniques that

are designed and utilised In order to obtain and defend an informational advantage in cyberspace

that will contribute to the overall victory of the actor in a specified conflict; the overall approach

to strategic CCI will inform how tactical CCI is undertaken. This section will discuss how strategic

CCI fits into the threat elevation paradigm; I will examine state use of strategic CCI before briefly

discussing how organised groups and individuals might use strategic CCI. I will then analyse the

potential overlap of tactical CCI and strategic CCI.

Unlike tactical CCI, which is considered in this thesis to be a largely reactionary field, strategic CCI

looks at ‘the bigger picture’, to use a trite expression. Approaches to strategic CCI may be inferred

from national cyber security strategies, as seen in the UK case study in chapter four. Tactical CCI

is the short-term operational response to outside risks and threats, and in service to the plan/s set

by the overall strategic CCI outlook.595 In contrast, strategic CCI is part of the strategic preparation

for cyber conflict, as well as the strategic response to attack or exploitation by a hostile actor, and

represents a more innovative, anticipatory CCI. Strategic CCI, unlike tactical CCI, is expected to

be seen in, and used by, all three identified aggregate groups in this thesis: states, organised groups,

and individuals. This is in large part because while certain actors may be unable or unwilling to

employ tactical CCI, they will still have an overall interest in, and plan for, strategic CCI: that is to

say, they have a vested interest in making sure that there is a general plan and willingness for

strategic initiatives to prevent hostile actors from easily accessing their systems and information.

Given the increasing understanding of the potential dangers of disinformation, for example, both

states like the UK,596 and larger corporations such as Apple and Twitter, are developing their policy

responses to disinformation actors and operations – this will be considered further in chapter six.

States and large corporations depend in large part on the trust of their citizens (for the former)

and their customers (the latter). There are serious and negative implications for actors that neglect

594 Lawrence, “Science of Guerilla Warfare,” 246. 595 Lawrence, 246. 596 In the case study time frame, I found that the UK had failed to comprehensively elevate the threat to audiences posed by cyberspace, which includes the risks of disinformation to electoral and democratic integrity. However, some progress was made in the intervening time between 2018 and 2021, with the publication of the Integrated Review. Given Integrated Review and associated Defence Command Paper fall outside the case study parameters, I consider these documents in the thesis conclusion in the context of recent developments.


206

to put in place strategies and policies for the management and mitigation of disinformation in the

current era, not least of which is the erosion of trust in both government and mainstream media.597

Utilisation of strategic CCI is expected to change according to the group under examination; in

this respect, it is treated no differently to tactical CCI. The practicability, efficiency, and willingness

to commit to a strategic CCI outlook plan is also expected to vary according to the capacities and

interests of the actors within the aggregate groups. States will invest in those measures that are

considered necessary and practicable – the priorities of states will vary according to several

different factors, not least of which are geopolitical context and record of hostilities. That is to say,

the assumption above in the tactical CCI section about small state vs. large state is also held to be

true in any consideration of strategic CCI. Nevertheless, a strategic outlook for CCI may be more

common as even those groups unable or unwilling to actively and proactively pursued tactical CCI

operations may be more inclined to initiate strategic policies for CCI.

States

More than the other aggregate groups, it is expected that in the contemporary age, states would be

in possession of, and actively enforcing, strategic CCI policies and outlooks.598 While strategic CCI

is expected to be used by the other two aggregate groups, states have both more to defend and

more strategic vulnerabilities in the case of failure. The intelligence and security apparatus of the

state, again, will be mandated with certain security jurisdictions, among which will be CCI. It is

expected that there will be explicit norms and regulations for each state, in light of strategic security

calculations, as to what the strategic outlook is for cyber security and thus CCI. These can be seen

most often in the official national security and cyber security strategies and policies published by

governments, as with the variety of UK documents analysed in chapter four. The actions of state

actors will be able to undertake in preparation for, and response to, hostile actions in cyberspace

597 House of Commons Digital, Culture, Media and Sport Committee, “Disinformation and ‘Fake News’: Final Report,” 2019, https://publications.parliament.uk/pa/cm201719/cmselect/cmcumeds/1791/179102.htm; See also Golovchenko, Hartmann, and Adler-Nissen, “State, Media and Civil Society in the Information Warfare over Ukraine: Citizen Curators of Digital Disinformation.” 598 According to the Center for Strategic and International Studies, 78 states maintain national cyber security strategies; 31 have military cyber strategies; 63 have cyber security mitigation and resilience plans for critical infrastructure; and 91 have cybercrime strategies Center for Strategic and International Studies, “Global Cyber Strategies Index,” Center for Strategic and International Studies, 2021, https://www.csis.org/programs/strategic-technologies-program/cybersecurity-and-governance/global-cyber-strategies-index.. The International Telecommunications Union its 100 states with current cyber security strategies or decrees, with an additional 12 states having drafts or with drafts in progress International Telecommunications Union, “National Cybersecurity Strategies Repository,” ITU | International Telecommunications Union, 2021, https://www.itu.int:443/en/ITU-D/Cybersecurity/Pages/National-Strategies-repository.aspx.. The UK’s strategies and their relation to CCI are examined in chapter four of this thesis


207

will define the use and operation of tactical CCI. It is therefore expected to be a matter of law and

policy (though the explicit details may necessarily be classified and as such unavailable to

researchers).

Strategic CCI is expected to be observable in all aggregate groups identified in this thesis. While

strategic CCI, like tactical CCI, is both an active and occasionally proactive form of CCI,

implementation of strategy may not necessarily require the technical capacity or the continued

investment that maintenance of tactical CCI (cyber response teams) would. Unlike tactical CCI,

strategic CCI is a longer-term form of risk management. There may of course be overlap in terms

of the risks or threats in any particular situation, but the utility of knowing the difference between

tactical and strategic CCI is beneficial to an understanding of both CCI specifically, and cyber

security generally.

Organised Groups

The use of strategic CCI by organised groups is also expected to align, in large part, with those

that are identified as having the potential to use tactical CCI. Again, because strategic CCI doesn’t

necessarily require the technical capacity or the continued investment in the maintenance of cyber

response teams that tactical CCI would, it may be the case that strategic CCI is also more common

among actors such as corporate groups. As with tactical CCI, it is likely that corporate groups

would be contractually obliged to ensure certain levels of security, among which would be an

overall cyber security strategy in addition to the actions that would be undertaken in the event of

a breach (tactical CCI). Organised hacker groups, on the other hand, are incentivised to create and

then employ and enforce a strategic outlook in terms of CCI.

In terms of organised groups that employ strategic CCI, defence and government contractors that

specialise in cyber-specific or general defence technologies and services must have confidence in

their ability to secure their systems and those of their clients. In respect to government contracts,

it is often a requirement that contractors identify the measures that will be taken to ensure the

integrity of client data – it is in the interest of organised groups like consulting firms to ensure they

have measures in place to both avoid undue damage to systems in the event of a cyber-attack. If

undertaking offensive action in cyberspace, these groups need to have a plan in place that will

increase the probability of success and anticipate resistance or retaliation, such that defensive

options (on-the-spot, reactionary tactical CCI measures) are prepared. The UK National Cyber

Security Centre maintains a list of Cyber Assessment Framework (CAF) certified companies that


208

provide cyber incident response services in the case of cyber-attack (or, in the case of proactive

entities, advice and tools for cyber defence).599

Individuals

An individual’s approach to, and use of, strategic CCI, again, will depend on a number of factors.

These include (but are not limited to) the individual’s position relative to cyberspace and/or

national security; the individual’s personal, economic, or political interest in cyber security; and the

relative worth of that individual in terms of data availability. My contention is that strategic CCI

also covers both risk management and threat mitigation; it can be both active and proactive; but

that utilisation of strategic CCI should be more common than tactical CCI as it doesn’t necessarily

require the technical knowledge or capacity required by tactical CCI. In saying this, I would expect

the same array of individuals that could potentially use tactical CCI to be interested in and likely

to utilise strategic CCI: experts; consultants; contractors; and hackers (any variety).

Returning to the example of the patriotic hacker, these individuals are also likely to engage in

strategic CCI planning and practices. In order to engage in cyber conflict, particularly against a

state or domestic opponents to the state, there must be a level of confidence in the hacker’s ability

to keep his identity removed from the conflict – a level of confidence such that the actions taken

either will not be traced back to them, or retaliatory action will be unlikely due to political

calculations. Unlike in the traditional (physical) domain, where intelligence and counterintelligence

considerations remained the remit of state intelligence agencies, in cyberspace, the barrier for entry

to conflict is much lower and the probability of conflict between classes of actors more likely. One

of the goals of this thesis is to build the body of literature around CCI, to conceptualise what CCI

looks like for three classes of actor (states, organised groups, and individuals), and examine how

CCI on the part of all three classes interacts with the modern state.

Employers of CCI

As I have mentioned previously, there are many parties active in cyberspace that utilise CCI

methods, techniques, and practices, whether knowingly or not. Previous sections of this thesis

have discussed the types of CCI an entity may use (passive; active; proactive), and the manner in

599 As of writing, there are nine CAF-certified CIR services on the NSCS web page: BAE, Context, Deloitte LLP, F-Secure, KPMG, Mandiant, NCC Group, PwC, and SecureWorks. National Cyber Security Centre, “All Products & Services,” National Cyber Security Centre, 2021, https://www.ncsc.gov.uk/section/products-services/all-products-services-categories. For further information on the Cyber Assessment Framework, see National Cyber Security Centre, “NCSC CAF Guidance,” National Cyber Security Centre, 2021, https://www.ncsc.gov.uk/section/private-sector-cni/products-services.


209

which these types may be employed (strategic; tactical). The uptake of CCI technologies and

practices also presents security challenges to various parties in cyberspace, but particularly the state.

Indeed, the use of CCI technologies and practices on the part of individuals and organised groups

must be one of the great frustrations of twenty first century intelligence communities,600 as it

creates higher barriers to intelligence collection efforts targeted at legitimate threats, such as

terrorist groups or hostile governments. The more frequent the usage of CCI technologies and

practices, the more time-consuming and expensive these intelligence collection efforts must be.

The use of counterintelligence practices by many of these actors occurs at different levels, and for

different purposes. It is the goal of this thesis to contribute to the overall understanding of CCI as

a discipline, and to begin building the body of literature surrounding the way different classes of

actor utilise CCI. Intelligence has traditionally been the domain of the sovereign state – the

introduction of new conflict actors that can and do utilise CCI affects the pattern of interactions

in cyberspace. Following a brief discussion on actor goals and relative power, this section will

examine how these three classes of actor (states, organised groups, and individuals) utilise

cyberspace and employ practices and technologies designed to improve their security and

resilience.

Goals and Aims

The (suspected or stated) goals or aims of actors will change with the nature of the actor in

question. The generally defensive posture of corporate response groups, for example, is

diametrically opposite to the generally aggressive posture of NCGs like Anonymous. In addition,

the goals of an organisation like Anonymous change regularly, so there is a fluidity of purpose that

you would not see as frequently in corporate response groups, nor generally in the state-affiliated

groups that take direction from state policy. On the other hand, state actors are likely to engage

more in offensive actions in cyberspace, as they seek a position of relative dominance over

competing actors. Alternately, they may engage more in intelligence collection across state

boundaries to aid their own domestic industry, as has been accused of China.601 Because the goals

and aims of the various types and sub-types of actor are incredibly context-dependent, it is difficult

to ascertain what kinds of CCI practices they may employ at any given time. However, it is fair to

600 Kahney, “The FBI Wanted a Backdoor to the IPhone. Tim Cook Said No”; Kharpal, “Apple vs FBI.” 601 Nicholas Eftimiades, “The Impact of Chinese Espionage on the United States,” The Diplomat, December 4, 2018, https://thediplomat.com/2018/12/the-impact-of-chinese-espionage-on-the-united-states/; Christopher Wray, “Responding Effectively to the Chinese Economic Espionage Threat,” Speech, Federal Bureau of Investigation, February 6, 2020, https://www.fbi.gov/news/speeches/responding-effectively-to-the-chinese-economic-espionage-threat.


210

argue that certain practices and methods would be generally applicable to any class of actor no

matter the setting or other actors involved. It is expected that states, organised groups and

individuals would employ basic ‘cyber hygiene’ practices as have been discussed in previous

sections; protecting and changing passwords; reducing access to certain information to those who

have a real need of that information; putting in place processes to deny malicious actors access to

their data. Depending on the actor, the aim, and the competing party, more proactive CCI practices

may also be employed, involving ‘hack-backs’ and overtly publicising attribution of (attempted)

cyber-attacks, while potentially continuing on to undermine the parties that engaged in the attack

in the first instance in order to collect intelligence.602

Relative Power

The relative power of actors to affect each other will depend on the type or sub-type in question,

and on the relative size of that actor and the resources that they wield. States that have highly

interconnected and cyber-integrated economies and security considerations will be both more

capable of effecting efficient CCI and more likely to be targeted for the value of the information

and resources that are being protected. The larger, heavily industrialised, and cyber-connected

states like the US, UK, China and Russia are extremely active in both intelligence collection and

counterintelligence operations as part of ongoing risk management in terms of national security.

States like Estonia, which are highly connected and dependent on cyberspace technologies and

platforms also have vested interests in cyber capacity and agility. Geostrategic considerations also

come into play when states design cyber strategies and invest in cyber capacities – Estonia is not a

particularly large country, but, as seen in chapter three in the discussion of the Estonian experience

with cyber-attacks in 2007, its proximity to and historical relationship with Russia make it more

sensitive to, and active in, cyber operations. Beyond state-to-state interactions, resource capacity

as well as domestic and international law make states influential in relation to the ability of

organised groups and individuals to act in cyberspace.

Organised groups such as corporations, particularly mega-corporations like Google or Amazon,

have a greater capacity to invest in cyber capabilities, and therefore a greater power relative to

smaller states (less developed and heavily interconnected), smaller groups, and individuals. In terms

of corporate response groups, Apple will be able to employ a greater number of individuals and

invest a higher amount into cyber innovation and defence than, for example, a start-up company

602 This is not a complete listing of the potential proactive CCI practices an organised group may employ; to enumerate them would require a greater scope than this thesis allows.


211

with an employee roster of twelve people. Anonymous will have a higher probability of affecting

(the way they wish) an individual, another group, or indeed a state representative actor than will

smaller hacker collectives of only a handful of people. State-affiliated groups like those frequently

linked with the Russian Federation or the PRC will have a higher probability of adversely affecting

both other organised groups and states than will corporate response groups, for example. Since

the relative power of an organised group will inform where in the threat elevation hierarchy that

particular organisation will fall, it is also possible that a higher degree of risk management or threat

mitigation will result in the decreased efficiency or relative power of that group. When parties are

known to be hostile and aggressive in cyberspace, defences can more easily be created that are

specific to those actors, and in defence of the data most likely to be of interest to them. That is

not to say that the defences will be perfect or even 100% effective; simply that known actors can

be defended against more readily.

Individuals are more capable of affecting each other than they are of affecting groups or states by

virtue of the latter being generally more capable at marshalling both defensive and offensive

resources. Yet the individual, as part of an aggregate, has great influence over the shaping of cyber-

enabled interactions. In terms of the relative power of individuals to affect organised groups and

states, one must only look to the potential (and demonstrated) consequences of disinformation on

recent elections to see that the psychological state and thus the voting behaviour of individuals in

aggregate can have a massive effect on the outcome of leadership races and the succeeding national

and international actions and policies of the elected administration. The ability of individuals to

ascertain true from false, and engage in security and CCI practices, will have a major effect on

socio-political and strategic outcomes, which is why it is crucial that threats to democratic

audiences are appropriately elevated.

States

States are arguably the most important actor in cyberspace to actively and openly employ

intelligence agencies for both collection and counterintelligence operations. Obviously, intelligence

communities are an integral element of the security apparatus of the modern state, and, as such,

are responsible for obviating or at least providing information on a great deal of the security

concerns of any given government. Intelligence communities vary in size and operational mandates

according to the political and geographic security concerns of different states, but all intelligence

communities will have both intelligence collection and counterintelligence capacities.603 The degree

603 Johnson and Wirtz, Intelligence; Lowenthal, Intelligence: From Secrets to Policy.


212

of efficacy, funding and capacity also varies greatly, and often (in democracies at least) according

to the political and strategic goals of the incumbent administration and global threat context.

Whether or not there are specific agencies mandated for particular jurisdictions or tactical/strategic

concerns is also a matter of context and government.

The security priorities of states are manifold, and too numerous to discuss in any true detail within

this thesis. For the purposes of this thesis, rather than discuss the variety of threats facing the

modern state, I will refer only to threats and risks as a class, rather than as specific varieties of

(potential) danger: intelligence and counterintelligence apparatuses, then, focus on securing the

state against internal and external threats and risks, according to mandate and contextual

requirement. As the modern state depends increasingly on networked technology for both

domestic and international interactions and transactions of all kinds, more investment and

development is being required in the areas associated with cyber technologies. Because the state is

responsible for its citizens’ security as well as its own continued existence, and because the

international system is increasingly interdependent, the safety of data is of paramount importance.

When one considers that hacks that have stolen terabytes of data and blueprints for current and

developing technologies, there is an enormous financial and socio-political toll to be paid for

unsecured and insecure data.604 State institutions also suffer a loss of public trust when significant

events such as large-scale hacks occur, as the public begins to question whether and how the state

can ensure the security of private, secret or otherwise classified information in an increasingly

hostile information environment.

Additionally, states are not equal in all things. Nor are all states operating under a shared set of

assumptions about each other, or the world in general; if you accept that all states will try to ensure

their own interests above the interests of other states, then it is inevitable that states will conduct

intelligence operations against each other.605 As such, it is imperative that there be highly capable

and efficient counterintelligence offices, agencies, or branches upon which the state can depend in

604 For example, the Joint Strike Fighter. Department of Justice Office of Public Affairs, “Two Chinese Hackers Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including COVID-19 Research,” The United States Department of Justice, July 21, 2020, https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion; Dorling, “China Stole Plans for a New Fighter Plane, Spy Documents Have Revealed”; Gady, “New Snowden Documents Reveal Chinese Behind F-35 Hack”; Westbrook, “Joint Strike Fighter Plans Stolen in Australia Cyber Attack.” 605 While enshrined in domestic law, there are no international laws against espionage. See Veronika Prochko, “The International Legal View of Espionage,” E-International Relations (blog), March 30, 2018, https://www.e-ir.info/2018/03/30/the-international-legal-view-of-espionage/; A John Radsan, “The Unresolved Equation of Espionage and International Law,” Michigan Journal of International Law 28, no. 3 (2007): 595–623.


213

order to both secure and defend their own secrets, as well as undertake operations to discover

which entities are conducting operations against the state. In addition to the threat from foreign

and potentially hostile governments, the modern state is also increasingly subject to operations

conducted by organised groups (some of which may be supported or sanctioned by other states)

and individuals that are highly capable operators in the cyber environment.606 The ability of the

state counterintelligence apparatus to deter these actors and operations, and mitigate the harms, is

of the highest importance. In cyberspace, however, it is an impossible task to ensure the

total/complete security and privacy of the entirety of state secrets, or indeed the entirety of private

or confidential information of any kind. While the state (generally speaking) has access to a greater

array of resources than most other entities,607 it is also true that the state has a much larger stable

of concerns than do most other parties, and they also have a wider array of stakeholders attempting

to undermine their security at any given time. Resources must be apportioned to the most valuable

of assets, and, even then, the offensively advantaged nature of cyberspace means that with

significant investment and development, CCI services are often ‘on the back foot’.

This is not to say that the state does not have functional and effective counterintelligence services

and practices; simply that, not everything can be perfectly secured. It should be noted that despite

the cyber context of this particular thesis, there is always a human element to intelligence: the

greatest of firewalls can be designed by the greatest computer engineers alive and yet can still be

defeated by somebody failing to keep their password secret, or failing to change their password

from the factory default, or failing to install and run software patches.608 Part of the Russian

interference against the Clinton campaign in the 2016 involved phishing emails sent to former and

current campaign staff; this tactic succeeded against John Podesta, Clinton’s campaign manager,

who was tricked into entering his password into a false site and became the victim of a hack-and-

leak operation.609 There is also the possibility that cyber security policy may not be followed, or

basic cyber security practices be ignored. In 2018 it was revealed by The Telegraph that sensitive

606 Kollars, “Cyber Conflict as an Intelligence Competition in an Era of Open Innovation.” 607 Excepting the largest of multinational corporations, some of which have higher gross domestic product (GDP) than some States. Fernando Belinchón and Qayyah Moynihan, “25 Giant Companies That Earn More Than Entire Countries,” Business Insider, July 25, 2018, https://www.businessinsider.com/25-giant-companies-that-earn-more-than-entire-countries-2018-7?r=AU&IR=T; Eelke Heemskerk, Jan Fichtner, and Milan Babic, “Who Is More Powerful – States or Corporations?,” The Conversation, July 11, 2018, http://theconversation.com/who-is-more-powerful-states-or-corporations-99616. 608 Bhargava, “Human Error, We Meet Again”; Bisson, “‘123456’ Remains the World’s Most Breached Password”; Miller, “The Weakest Link.” 609 Barrett, “DNC Lawsuit Against Russia Reveals New Details About 2016 Hack”; Graff, “The Mirai Botnet Was Part of a College Student Minecraft Scheme”; Lily Hay Newman, “The Midterm Elections Are Already Under Attack,” Wired, July 20, 2018, https://www.wired.com/story/midterm-elections-vulnerabilities-phishing-ddos/; Krawchenko et al., “The John Podesta Emails Released by WikiLeaks.”


214

documents originating in the Cabinet Office, Home Office, and National Health Service of the

UK had been “accessible on Google for up to four years” because civil servants used public Trello

pages to store sensitive documents - including those dealing with MI5 and counterterrorism -

despite being instructed not to do exactly that.610 Examples like these illustrate both how central

the human factor is in considerations of cyber security, and why the capacity of the individual to

be both a vulnerability and a threat vector to state security needs to be comprehensively elevated.

That said, it could be argued that states have the most to lose in a cyber-attack, and thus should

be expected to develop considerably higher capacity in CCI than any other aggregate currently

operating – and this is a fair assertion. In the 2013 UNIDIR Cyber Index, more than 90 states

were listed as maintaining computer emergency response teams; even more were mandating their

agencies with cyber security responsibilities.611 Since then, cyber policies have increasingly made

their way into both popular thought and political administration, with many states either

designating cyber agencies and commands, or adjusting existing agency mandates to ensure that

CCI is being considered and implemented by at least one section of government or the military.

As seen in the case study in chapter four, national and cyber-specific security documentation612

have developed significantly over time, and that development in large part aligns with the

increasing concern over cyberspace being a threat vector in the contemporary international

threatscape, and the need for a coordinated approach to CCI. This thesis contributes to a general

understanding of what CCI is; how and by whom it is employed; and how the threat perception

of cyberspace has been elevated.

Organised Groups

Within the aggregate model employed in this thesis, the second type of actor in cyberspace is the

organised group. Further, within this particular type, I have identified three sub-types within which

most, if not all, group actors in cyberspace should fall. These sub-types are

a) the state-affiliated or -sponsored group (overt or otherwise) b) the non-affiliated or -sponsored citizen group c) the corporate group.

610 James Cook and Joseph Archer, “Telegraph Investigation: Google Search Exposes Sensitive Files and Emails from inside the Government and the NHS,” The Telegraph, April 18, 2020, https://web.archive.org/web/20200418181314/https://www.telegraph.co.uk/technology/2018/07/21/telegraph-investigation-google-search-exposes-sensitive-government/. 611 United Nations Institute for Disarmament Research, “The Cyber Index: International Security Trends and Realities.” United Nations Institute for Disarmament Research. 612 For the purposes of this thesis, national security documentation herein refers to national security strategies; cyber security strategies; and security reviews.


215

Following a brief discussion of these sub-types, this section will consider the security concerns and

vulnerabilities of this actor type, the potential aims of organised groups, their power relative to

other actors in cyberspace, and the intersection of the organised group actors with other actors in

the system. The ways in which organised groups are capable of acting, and their motivations in so

doing, are estimated to roughly coincide with their perception of the relative risk or threat that

cyber-enabled attacks represent to their interests.

State-affiliated and/or State-sponsored Groups

The first of the organised group sub-types I will discuss is that which is linked, however closely or

loosely, to a sovereign state. One thing to mention concerning these groups is the relative difficulty

of positively ascertaining state links when these groups will usually go to great lengths to either

obscure their (national) affiliation, or when the states suspected of sponsoring these groups

contend that they’re doing no such thing. The use of state-sponsored or -affiliated groups (SSAGs)

are, in many cases, a way for states to undertake operations in a relatively risk-free way, given that

officially there are no links of support between the government and the groups that may be taking

instruction or direction (however loosely defined) from government representatives. Examples of

groups suspected to be affiliated with their national governments include APT41 (also known as

DoubleDragon) from the PRC,613 and Energetic Bear (or CrouchingYeti) from the Russian

Federation.614 Groups that represent a significant concern are assigned (in the Western system, at

least) an APT numerical designation, for Advanced Persistent Threat.615

While this class of actor is state-sponsored or state-affiliated and so has either instruction or

support from state authorities, the existence of such groups and their capacity to engage with both

state and non-state actors in cyberspace speaks to the importance of CCI – not just to these actors,

but to their targets. The number of capable actors in the cyber domain that have the capacity to

affect state action and policy is growing; SSAGs, with the support (official or nonofficial) of states,

613 Nalani Fraser et al., “APT41: A Dual Espionage and Cyber Crime Operation,” FireEye, August 7, 2019, https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html. 614 Cimpanu, “FireEye, One of the World’s Largest Security Firms, Discloses Security Breach”; Andy Greenberg, “The NSA Confirms It: Russia Hacked French Election ‘Infrastructure,’” Wired, May 9, 2017, https://www.wired.com/2017/05/nsa-director-confirms-russia-hacked-french-election-infrastructure/; Kaspersky ICS CERT, “Energetic Bear / Crouching Yeti: Attacks on Servers,” Kaspersky ICS CERT | Kaspersky Industrial Control Systems Cyber Emergency Response Team (blog), April 23, 2018, https://ics-cert.kaspersky.com/reports/2018/04/23/energetic-bear-crouching-yeti-attacks-on-servers/. 615 FireEye, “Advanced Persistent Threat Groups (APT Groups),” FireEye, 2021, https://www.fireeye.com/current-threats/apt-groups.html.


216

are increasingly targeting not only states, but businesses within those states.616 Of the 10,000

victims of state-sponsored cyber-attacks identified by Microsoft in 2019, most were businesses,

and many were conducted for the purposes of either political influence or intelligence collection.617

It is crucial that states, organised groups (including businesses), and individuals approach CCI in a

coordinated manner, and fully understanding the risks of not investing sufficiently in cyber security

and resilience.

Non-affiliated Citizen Groups

The second of the identified sub-types of the organised group aggregate is that which is not

affiliated to or dependent on any national government, but which is capable of acting with unity

of purpose and affecting the international political system through their actions in cyberspace, to

varying degrees. It is important to note that, while these groups are herein referred to as non-

affiliated citizen groups (NCGs), the members of such groups should not be confused with

individual actors, which will be discussed in a subsequent section. These are generally understood

as not acting in aggregate toward a common goal according to the aggregate model utilised in this

thesis. NCGs, by definition, must remain unaffiliated with a national government; have a decision-

making apparatus capable of setting direction for the group; and act with unity of purpose toward

the attainment of a specific goal. Groups such as Anonymous618 are examples of the non-affiliated

citizen groups as they are understood in this thesis.

The relevance of CCI to NCGs is similar in many ways to its relevance to state-affiliated groups,

with the addendum that these groups act without the protection or tacit permission of state actors.

The ability of these groups to engage with other actors in cyberspace, and to continue to exist as

actors themselves, is dependent at least in part on the security practices and principles undertaken

by the members therein. For NCGs like Anonymous, the use of CCI measures decreases the

likelihood of identification and (potentially) prosecution of individual members engaging in cyber

conflict operations. Imperfect CCI practices can lead to unmasking and prosecution, as was the

case with Hector ‘Sabu’ Monsegur in 2011: identified by federal agents as one of the Lulzsec

616 Adi Gaskell, “State Sponsored Cyberattacks Are Happening Right Now,” CyberNews, June 23, 2020, https://cybernews.com/news/state-sponsored-cyberattacks-are-happening-right-now/; Gaskell, “The Rise in State-Sponsored Hacking in 2020.” 617 Gaskell, “State Sponsored Cyberattacks Are Happening Right Now”; Gaskell, “The Rise in State-Sponsored Hacking in 2020.” 618 A global hacker collective which, while not necessarily hierarchical, does have a decision-making apparatus through which it designates targets for the collective and goals toward which they work.


217

hackers, Monsegur was successfully ‘flipped,’ becoming a federal informant.619 His information

lead to the 2013 prosecution and incarceration of Anonymous leader Jeremy Hammond, speaking

to the undeniable importance and impact of the human element in any CCI operation, plan, or

practice.620

Corporate Response Groups

The final sub-type of organised groups identified herein is the corporate response group, or CRG.

Specific to corporations (irrespective of size or regional/global reach), CRGs are the branches of

corporate bodies responsible for the cyber security and cyber response of those bodies and their

interests, affiliates, and clients/customers. Because cyber security is a burgeoning field rather than

a traditional and longstanding security concern, and due also to the fact that unlike more traditional

concerns, cyberspace is a less well-regulated space globally, CRGs face a significant number of

challenges in protecting interests and responding to threats. In many countries, a cyber response

to an attack (usually termed a hack-back) have been deemed illegal, and so CRGs must be

innovative and extremely responsive to risk and threat. CRGs in the financial sector have proven

particularly effective, often driving innovation and policy, and sharing intelligence on risk

assessment and security vulnerabilities.621 For the mega corporations such as Apple, Facebook,

Google and Microsoft, security concerns are requiring increasing research, development and

innovation, as the consumer demands greater security of private data and Internet traffic. In some

respects, the security concerns and vulnerabilities mirror those of the state, albeit usually on a

smaller scale. Malicious software is a particular concern to corporate response groups, for example,

who, in addition to the immediate losses of intellectual property and client data in the case of a

significant data breach, may suffer a loss of reputation or public trust that then has knock-on

economic effects. The latter may result, in extreme cases, in the bankruptcy or closure of the

corporation in question.622 In the early 2000s, Google Inc. suffered a cyber-attack, generally

619 Andy Greenberg, “Anonymous’ Most Notorious Hacker Is Back, and He’s Gone Legit,” Wired, October 21, 2016, https://www.wired.com/2016/10/anonymous-notorious-hacker-back-hes-gone-legit/. 620 Greenberg; Ed Pilkington, “Jeremy Hammond: FBI Directed My Attacks on Foreign Government Sites,” the Guardian, November 15, 2013, http://www.theguardian.com/world/2013/nov/15/jeremy-hammond-fbi-directed-attacks-foreign-government. 621 Deloitte, “Transforming Cybersecurity in the Financial Services Industry: New Approaches for an Evolving Threat Landscape” (Johannesburg: Deloitte, 2014); Adrian Nish, Saher Naumaan, and James Muir, “Enduring Cyber Threats and Emerging Challenges to the Financial Sector,” Carnegie Endowment for International Peace, 2020, https://carnegieendowment.org/2020/11/18/enduring-cyber-threats-and-emerging-challenges-to-financial-sector-pub-83239; World Bank Group, “Financial Sector’s Cybersecurity: Regulations and Supervision” (Washington, D.C.: The World Bank Group, 2018). 622 Following a hack of trust certificate issuers, the Dutch certificate authority DigiNotar was forced into bankruptcy after a hack resulted in the issuance of fake trust certificates that may have exposed around 300,000 Iranians to data interception. They were unable to recover from the loss of trust in their services. Espiner, “Hack Attack Forces DigiNotar Bankruptcy.”


218

attributed to parties geo-located in the PRC, and eventually discovered that they had lost the

‘crown jewels’ of the Google empire: more specifically, the search algorithms that underpin the

Google search engine.623 Intrusion defence is, therefore, as much a concern for corporate actors

as it is for state governments.

Microsoft, for example, maintains the Microsoft Security Response Center, the stated mission of

which is “to protect customers from being harmed by security vulnerabilities in Microsoft’s

products and services, and to rapidly repulse attacks against the Microsoft Cloud,” and going on

to affirm that cyber security and defence is “not a static game: it requires continual engagement

and innovation.”624 Given that larger corporations are targets for both state and non-state actors

in cyberspace, and also contract services to both, Microsoft found it necessary to maintain

response teams and engage in both tactical and strategic CCI operations and practices.

In October 2020, Microsoft announced that in concert with telecommunications partners, they

had taken action against, and disrupted, the botnet operation known as Trickbot, first identified in

2016.625 Microsoft and its partners were granted approval by a US Court “to disable the IP

addresses, render the content stored on the command and control servers inaccessible, suspend

all services to the botnet operators, and block any effort by the Trickbot operators to purchase or

lease additional servers.”626 In essence, Microsoft employed tactical CCI measures against the

infrastructure of a botnet comprising more than one million devices, contributing to the overall

strategic CCI goal of operative security for not just Microsoft, but any actor that has been, or

would have been, targeted by the botnet’s (unknown) operators.

Individuals

Individual use of CCI practices and methods is also context-dependent for each individual. The

employment status and specialisation; the social position; knowledge of cyber-enabled threats; and

general interest will all play a role in how much attention an individual pays to their individual

cyber security, and thus their CCI practices. It should be noted that in this section (and in this

thesis generally), little attention is devoted to those individuals, and indeed organisations, that

either do not use (out of lack of knowledge) or choose not to utilise, CCI practices. They are

623 Neal, “Insider Reveals Details of Google Hacks”; Zetter, “Report.” 624 Microsoft Security Response Center, “MSRC | Our Mission,” Microsoft, 2021, https://www.microsoft.com/en-us/msrc/mission. 625 Tom Burt, “New Action to Combat Ransomware Ahead of U.S. Elections,” Microsoft On the Issues, October 12, 2020, https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/. 626 Burt.


219

acknowledged as a potential threat vector, but as this thesis concerns CCI and those who employ

CCI practices and processes, the actions or non-actions of those entities that do not employ CCI

are beyond the scope of this research. This section is meant to be an overview of the types of

individuals that are likely to employ CCI practices in the normal course of their lives for a variety

of reasons. Again referring to the aggregate model of analysis employed in this thesis, I have

identified three aggregate groups according to which individuals likely to use CCI can be classified:

hackers (either white or black hat); consultants/contractors; and interested individuals.

White Hat, Grey Hat, Black Hat

Hackers are the first aggregate group of individual users that spring to mind when considering the

practice of CCI. These individuals are highly active in cyberspace, and (depending on whether they

are white hat or black hat) are extremely likely to be interested in, and concerned about, their

individual security in cyberspace generally, but also during cyber operations particularly. White hat

hackers, or so called ‘ethical hackers’, are usually conducting operations with permission from the

owner of a particular site (and are sometimes contracted to do just that) to test that site's security.627

The purpose of these actions is to improve overall security, or at least reduce insecurity

surrounding that particular website. Grey hat hackers will often conduct the same sort of

operations as white hat hackers, but without the permission of the system owner, only requesting

remuneration or restitution or recompense after the fact; if this is not offered, the grey hat hacker

may or may not post the exploit online.628 Black hat hackers undertake cyber operations that are

likely to degrade, destroy, exploit, or manipulate online data. They are the producers of malware,

and often have the motivation of personal gain (usually financial). Occasionally motivations can

be political, as with so-called 'patriotic hackers' that act, usually in support of a state government,

against an entity they perceive to have wronged them or the entity they support. Both black and

white hat hackers may potentially be sponsored by state governments, acting alone but according

to the wishes or direction of an Administration.629

627 Mary Manjikian, Cybersecurity Ethics: An Introduction (Oxon: Routledge, 2017), 65, https://www.routledge.com/Cybersecurity-Ethics-An-Introduction/Manjikian/p/book/9781138717527; Norton, “What Is the Difference Between Black, White and Grey Hat Hackers?,” Norton, 2017, https://us.norton.com/internetsecurity-emerging-threats-what-is-the-difference-between-black-white-and-grey-hat-hackers.html. 628 Manjikian, Cybersecurity Ethics, 70; Norton, “What Is the Difference Between Black, White and Grey Hat Hackers?” 629 Manjikian, Cybersecurity Ethics, 66–67; Norton, “What Is the Difference Between Black, White and Grey Hat Hackers?”


220

Contractors/Consultants

The second aggregate group of individuals identified in this thesis are the contractors/consultants.

There is a fine line between this aggregate group and that of hackers, and indeed many hackers

can and have been contracted to undertake tasks or have found themselves consulting. Specifically,

however, this group refers to those individuals who are likely to contract to, or consult for,

corporate groups or state governments without forming part of the official cadre of corporate or

government employees. They work as individuals (forming a company of said individuals would

remove them from this aggregate and place them in a corporate aggregate); they are likely to have

security clearances to work on either corporate or government projects; they must, by necessity,

be extremely familiar with the dangers of cyber insecurity and are (usually by contract) required to

maintain a certain level of cyber security, thus increasing their uptake and utilisation of CCI

practices and processes. Contractors and consultants are also likely to undertake research on

malware found ‘in the wild’, contributing to both knowledge of malware and how to avoid

becoming a victim to particular types. Due to both their expertise and their social positioning, and

in conjunction with (the potential for) high-level security clearances, contractors/consultants are

also likely to actively employ CCI measures as part of the natural course of their work. The

feasibility of their employment and thus their personal economic stability depend on being able to

prove that they are committed to cyber security, of which CCI is an integral element.

Interested Individuals

The final aggregate group in this section is that of interested individuals. Persons who are not state

or corporation affiliated and are not classed as a black or white hat hacker for a particular reason,

and are not contractors or consultants in information technology security or the security of IT-

integrated systems, but have an interest in CCI for other reasons. Included in this aggregate would

be academics and civilians of any kind not fitting into another aggregate group, but still interested

in CCI. Interested individuals are not likely to require a comparable level of personal security as

would be required of individuals affiliated with a state or corporation, or contractors and

consultants whose financial security depends on their familiarity with cyber security measures. The

motivations of the interested individual usually concern data and personal privacy, areas which

have become increasingly important in public debate. As such, the utilisation of CCI practices may

not be as sophisticated or high-level as those practices employed by other aggregates, but

nonetheless are more sophisticated than any (potentially unconscious) practices utilised by an

individual unaware (or uncaring) of personal cyber security, and CCI specifically. Increasing public

awareness of these issues and the CCI practices easily enacted to mitigate them would contribute


221

to the overall security of the cyber domain. The human element is integral to the success of CCI

and the ongoing resilience and security of cyberspace, and, as such, is one of the focal threads of

this thesis.

Conclusion

Employers of counterintelligence cover a range of actors and entities currently active in

international cyberspace. Largely ungoverned, there is a significant need for further research on

the methods and processes according to which each of these actors operate, and the motivations

by which each decides strategy and designed tactics. By providing a short examination of the

varieties of actors that I have identified as operational in cyberspace, I hope to have built a

foundation upon which further research in this area can be developed. My intent is to provide a

frame of reference for the different actor groups and how they may interact with each other in

cyberspace, further providing a focus and drawing out some limits within which future research

can be undertaken. The chapter four analysis of how the UK has elevated the threat of cyberspace

concluded that while the cyber threat to assets has been successfully riskified, the UK has fallen

short of a comprehensive elevation by failing to acknowledge and elevate the risks to and from the

audience. At its core, CCI is about the human factor – the ability of individuals, and increasingly

large aggregates of individuals like organised groups and states, to effectively engage in CCI

practices that will contribute to the overall cyber security and information advantage of the state.

Managing the risks to and from the audience must become part of the national (and international)

approach to risk management and threat mitigation in cyberspace.

This chapter has identified and developed my definition of CCI. I have expanded my basic

typology of CCI introduced in prior research and developed the tactical-strategic understanding of

CCI operations. To properly assess the uptake of CCI by modern states, it is first necessary to

examine the way that cyberspace has been perceived and treated by modern states in terms of

potential risk and threat. As an integral element of contemporary society, cyberspace and cyber-

enabled technologies are woven into every element of life – communications, diplomacy,

international trade, etc. While a boon to efficiency, this has also introduced new vulnerabilities to

the three classes of actor identified in this thesis – states, organised groups, and individuals. The

way in which these vulnerabilities are perceived and acted upon affects attitudes and policies

toward cyberspace, cyber-enabled technologies, and the management and mitigation measures

employed in balance and defence. Chapter four traced the elevation of cyberspace as a risk in the

UK, and the counterintelligence responses this development is inducing. This chapter articulated


222

a definition and typology of CCI as a contribution to the nascent body of literature in this field,

and to address the information gaps identified in the analysis of the UK response to cyber risks

and threats. Chapter six uses the conclusions reached in chapters four and five, applying them to

a specific national security concern: the rising threat of cyber-enabled disinformation campaigns

as a form of foreign interference. I will discuss the assets vs. audiences divide in the current

application of CCI principles and examine two specific vignettes to identify how disinformation is

being countered (or not), illuminating the integral nature of CCI to national security.

223

6 - CCI in an Age of Disinformation: Assets vs. Audiences One of the foci of this thesis so far has been to emphasise the importance of the human factor in

any consideration of cyber counterintelligence (CCI). A key point that this thesis makes is that it

is crucial for an effective and efficient approach to CCI that counterintelligence actors draw out

how important human factors are for related issues in cyber security. Regardless of the purpose of

intelligence collection, regardless of the means utilised to collect intelligence, regardless of the

methods utilised to prevent other parties from conducting collection operations against you as an

individual, an organised group, or the state – every equation centres on the human variable. One

of the most concerning and timely demonstrations of the ongoing importance of the human factor

in considering the interaction of society and technology is the use of that technology by hostile

actors to influence the conscious or subconscious decisions and opinions of individuals. I refer

here to the practice and use of disinformation by foreign parties against the domestic populace of

a given state. It is my contention that, despite the centrality of the human factor in all calculations

of national security, modern states have failed to a concerning degree to properly elevate the threat

of foreign influence and interference against the general population. Moreover, drawing from the

history and tools of counterintelligence discussed in chapter two, and adapting them to the

evolving cyber threat landscape, CCI as defined in chapter two and developed in chapter five is

uniquely suited to recognise, monitor, mitigate, and respond to the recent evolution of foreign

influence and interference.

The second chapter of this thesis provided the contextual and background information necessary

for the analysis that has so far taken place. The discussions around traditional securitisation

theories, traditional counterintelligence and historical disinformation provided the foundation for

the theoretical development of the threat elevation framework in chapter three. Threat elevation

analysis provided the lens through which the evolving threat perception of cyberspace in the

United Kingdom was traced in chapter four. The examination of changing state perceptions of

cyberspace as a vulnerability and threat vector informed the elements of cyber counterintelligence

in the typology provided in chapter five, highlighting in particular the necessity of focusing on the

human element of counterintelligence practices moving forward. Taken together, these chapters

have provided a perspective on the evolving understanding and perception of the risk profile of

cyberspace in a mature and highly networked democracy and the ongoing design of measures and

policies to secure the cyber domain. The close analysis has identified, however, that there must be

an increased focus on and recognition of the danger to audience psychology of adversary

Chapter 6 – CCI in an Age of Disinformation

224

intelligence operations, such as disinformation, that have the potential to seriously and adversely

affect the democratic integrity of the state.

The evolution of disinformation in the digital age — particularly in terms of the creation and rapid

dissemination of false information, as well as the vastly increased target surface available to

adversaries given skyrocketing connectivity — has resulted in the need to reconsider how we must

approach counterintelligence in cyberspace. As disinformation is both an activity undertaken

through and content held in cyberspace, according to the British definition of cyberspace identified

in chapter four there is a requirement for the state to secure the population against foreign

influence through disinformation operations. Despite this claim, the analysis of the national

security documentation of the United Kingdom showed an explicit favouring of managing and

mitigating the threats to assets over the recognition of risks and threats to audiences. According

to the definition of CCI offered in chapter two of this thesis, the state is responsible for preventing,

identifying, tracing, penetrating, infiltrating, degrading, exploiting and/or counteracting the

attempts of any entity to utilise cyberspace as the primary means and/or location of intelligence

collection, transfer or exploitation; or to affect immediate, eventual, temporary or long-term

negative change otherwise unlikely to occur. Per both of these definitions, it is the responsibility

of the state to respond to the problems posed by disinformation, given the potential adverse effects

of such on democratic integrity. However, the preceding chapters have also shown that, in addition

to state responsibilities, there is a rising necessity for substate actors to engage in cyber

counterintelligence practices as part of an holistic approach to cyber security and resilience. Threat

elevation analysis provides a method by which to ascertain the evolution of threats to both the

state and the audience posed by disinformation, which will be considered in the subsequent

sections.

We saw in the chapter four analysis of the United Kingdom (UK) that critical national

infrastructure has been a serious concern for states, as has both international and, increasingly,

domestic terrorism, against the population and against infrastructure alike. We have also seen the

consideration of cyber-attacks and exploits against critical national infrastructure. What we have

not seen, however, in the examination of the national security documentation of the UK, is the

recognition that foreign action against the opinions and perceptions of the populace has or will

receive the same investment and protection as the physical infrastructures supporting the modern

state. Dr. Constanze Stelzenmuller, in her testimony before Congress during the investigation of


225

Russian interference in US elections by the Senate Select Committee on Intelligence, asserted that

what the Russians were trying to hack was not machines; it was people's minds:

The real target of Russian interference…is voters’ heads. They’re trying to hack our political consciousness. For this, they use a broad spectrum of tools, from propaganda, to disinformation, to hacking…630

The diffusion of access to cyberspace and cyber-enabled technologies has succeeded in making

the world smaller. We are more interconnected than ever before. Increasing interconnectedness

and easy access to foreign populations represent inherent vulnerabilities. It is now easier than ever

for hostile parties to inject false information into the ‘information ecology’ of domestic political

systems, seeking to influence public perceptions and decision from within. Done correctly, these

operations may never become public knowledge. Even when they become evident and are revealed

to the public eye, however, it is incredibly difficult to dissuade the population from beliefs based

on false information they had believed to be true. The ‘Protocols of the Elders of Zion’ is one

extremely well known and studied example of a deliberate act of disinformation that sought to

deepen and perpetuate anti-Jewish sentiment in Europe in the late 19th century.631 Importantly for

this discussion, despite repeated acknowledgment that the document was a fraudulent piece of

disinformation, the conspiracies that it dealt in remain believed by individuals exposed to it.

“Although most leading Nazis realised that The Protocols of the Elders of Zion was a spurious

document, they found it useful in promoting belief in the international Jewish conspiracy of which

they were already convinced. Authorship and other details were irrelevant, they averred, if the

book expressed “inner truth”.”632 The Protocols Of The Elders Of Zion show that, if successful,

it is likely that false information, even after being acknowledged as false, will continue to influence

the perceptions and behaviour of that person in an ongoing fashion, a concept known as ‘belief

echoes’ that will be examined in subsequent sections.

The success of disinformation operations is difficult to quantify and thus difficult to measure.

However, the instability in political systems and institutions that arises as a result of these

630 Senate Select Committee on Intelligence, “S. Hrg. 115-105 Russian Intervention in European Elections,” U.S. Senate Select Committee on Intelligence, June 28, 2017, https://www.intelligence.senate.gov/hearings/open-hearing-russian-intervention-european-elections#. 631 Esther Webman, The Global Impact of the Protocols of the Elders of Zion: A Century-Old Myth (Florence, United States: Taylor & Francis Group, 2011); Steven T. Katz and Richard Landes, The Paranoid Apocalypse : A Hundred-Year Retrospective on the Protocols of the Elders of Zion, 1st ed., vol. 3, Elie Wiesel Center for Judaic Studies (New York University Press, 2011). 632 Randall L. Bytwerk, “Believing in ‘Inner Truth’: The Protocols of the Elders of Zion in Nazi Propaganda, 1933–1945,” Holocaust and Genocide Studies 29, no. 2 (2015): 212–29.


226

operations is something with which many states have had to deal with over the last several years.633

Whether or not such operations have succeeded in changing election outcomes is arguable – it is

the contention of this thesis that the failure to elevate the education and protection of domestic

audiences with regard to the nature and use of disinformation operations has and will continue to

destabilise democratic institutions.634 While assets have been elevated successfully and measures put

in place to manage the risks against them, there has been a failure to elevate the risks to audiences

until the problem is already in need of threat mitigation measures, an example of reactive event-

based elevation and failed risk management.635 The point here is that, first, audiences need to be

treated equivalently to assets. Second, the development of, and reliance on cyberspace, mean that

these human vulnerabilities are an essential aspect of cyber security.

Previous chapters have examined the threat elevation analysis framework which underpins this

thesis and informs my understanding of how states have elevated political concerns to risks and/or

threats; the national security documentation of the UK; and the nature and use of CCI. The UK

chapter served as demonstration of the tenets of threat elevation theory, as well as context for the

discussion of disinformation that this chapter will develop. In the preceding chapter, I identified

and developed the positioning and inherent importance of the human factor to the understanding

and practice of CCI. From the level of the individual, CCI practices and measures contribute to

the overall cyber resilience and security of the state. Organised groups and states are aggregates of

individuals, and individuals represent both a vulnerability and a threat vector in terms of security

threats like cyber-enabled disinformation. Individuals at once have the potential to be targets,

creators, and disseminators of both disinformation and counter-disinformation narratives. By

engaging actors at the individual; organised group; and state level, and comprehensively elevating

the risks inherent in cyberspace in order to develop risk management measures such as CCI, the

potential consequences to democratic integrity from successful disinformation campaigns can be

managed or mitigated.

This chapter will first define the concept of disinformation, differentiating it from misinformation

and discussing the purpose and use of disinformation in the political information ecology as a form

633 Rid, Active Measures: The Secret History of Disinformation and Political Warfare; Darrell M. West, “How to Combat Fake News and Disinformation,” Brookings, December 18, 2017, https://www.brookings.edu/research/how-to-combat-fake-news-and-disinformation/. 634 See also a recent article, that I co-authored with Adam Henschke and Matthew Sussex that looks at how foreign interference campaigns can undermine the integrity of elections: Henschke, Sussex, and O’Connor, “Countering Foreign Interference: Election Integrity Lessons for Liberal Democracies.” 635 Event-based elevation is discussed further in chapter three.


227

of foreign influence. It will then consider disinformation in the context of what I call the assets vs.

audience dichotomy, according to the threat elevation analysis framework. This will be done in

two ways. First, there will be a short discussion of the relevance of event-based threat elevation in

considering interference and influence operations undertaken in cyberspace, or through cyber-

enabled means and technologies. Following this, I offer two vignettes: the first is an examination

of a failed elevation of audience importance through the prevalence in the contemporary

information ecology of COVID-19 disinformation. The second is a successful elevation of

audience importance through Sweden’s approach to disinformation campaigns. Sweden has

engaged in a strategic approach to CCI that not only evaluates the threats to assets but specifies

the importance of teaching the audience to ascertain the veracity of information – this is done

from childhood through education, as the UK has started to do, but also through civil service

campaigns targeted at older populations to engage as much of the audience as possible. In assessing

each vignette, I look for the target; the intent or purpose of the operation; the outcome or

consequences; and whether CCI measures were used and successful, were not used, or were used

and failed. The chapter will end with a consideration of potential countermeasures against foreign

influence and interference through cyber-enabled disinformation operations.

Disinformation

Disinformation is not a novel concept or practice. Far from being a recent tactic in terms of

political influence or interference, disinformation is a time-honoured and thoroughly tested tool.636

Such psychological operations are “as old as warfare itself.”637 In recent years, the use of

disinformation to affect foreign audiences' behaviour or perceptions has moved more into the

public eye, particularly in terms of interference in Western democratic nations by the Russian

Federation.638 However, the advent of cyberspace and the diffusion of cyber-enabled devices is

lending disinformation a new lease in political life, as hostile actors are more easily able to

communicate directly with citizens of a target state than ever before. Given the risks to audience

psychology and decision-making posed by successful disinformation, these risks need to be

636 James H. Fetzer, “Disinformation: The Use of False Information,” Minds and Machines 14, no. 2 (May 2004): 231–40, https://doi.org/10.1023/B:MIND.0000021683.28604.5b; Julie Posetti and Alice Matthews, “A Short Guide to the History of ’fake News’ and Disinformation” (International Center for Journalists, 2018), https://www.icfj.org/sites/default/files/2018-07/A%20Short%20Guide%20to%20History%20of%20Fake%20News%20and%20Disinformation_ICFJ%20Final.pdf; Rid, Active Measures: The Secret History of Disinformation and Political Warfare; Romerstein, “Disinformation as a KGB Weapon in the Cold War.” 637 Peter J. Smyczek, “Regulating the Battlefield of the Future: The Legal Limitations on the Conduct of Psychological Operations (PSYOP) under Public International Law. - Free Online Library,” Air Force Law Review 57 (2005): 214. 638 For a recent overview of this, see Thomas Rid, Active Measures: The Secret History of Disinformation and Political Warfare, pp. 329-423.


228

comprehensively elevated as a democratic integrity and foreign interference threat. The education

of the democratic audience in the use of CCI practices and methods will contribute to the overall

security of the state and of democratic institutions at large.

According to James Fetzer, disinformation “entails the distribution, assertion, or dissemination of

false, mistaken, or misleading information in an intentional, deliberate, or purposeful effort to

mislead, deceive, or confuse.”639 To this definition, I would add the qualifier ‘for political purposes,’

as for the purposes of security studies (in which field this thesis is broadly situated);

“disinformation is frequently analysed as a tactic of hostile foreign state actors.”640 It is important

to note that intent plays a significant role in the differentiation between disinformation and

misinformation, two terms that are often conflated but are distinct concepts. Misinformation

(explored in chapter two) is that information which is unintentionally (factually) incorrect or

misunderstood – transmitting misinformation is an honest mistake and could feasibly be corrected

with provision to the offending party of the correct information. Disinformation is often

considered a tactic employed by hostile actors because incorrect information is transmitted

purposefully, with the intent of modifying a perception or behaviour in some way either inimical to

the target, or beneficial for the attacker. Disinformation can also include factually accurate

information where the source is hidden or disguised, or which is delivered in such a context that

incorrect conclusions are drawn based on that information, such that benefit of some kind is

delivered to the attacker, or negative consequences befall a targeted party.641

The use of disinformation operations to sway public opinion is by no means a novel technique for

foreign actors. As Thomas Rid has recently argued, the Soviet Union used disinformation and

propaganda operations extensively throughout the Cold War,642 even to the point of risking self-

deception. KGB personnel, through self-aggrandisement and the desire to make their

disinformation campaigns seem successful, claimed that the theory of nuclear winter was Soviet

disinformation.643 This claim was later supported by Soviet defectors:

639 Fetzer, “Disinformation.” p. 231. 640 Jennifer Hunt, “The COVID-19 Pandemic vs Post-Truth” (Global Health Security Network, 220AD), https://www.ghsn.org/resources/Documents/GHSN%20Policy%20Report%201.pdf p.6. 641 For more on the philosophical basis and ethical implications of these notions of disinformation and misinformation, see Adam Henschke, Ethics in an Age of Surveillance: Personal Information and Virtual Identities (Cambridge: Cambridge University Press, 2017), https://doi.org/10.1017/9781316417249 pp. 131-149, 222-236. 642 Rid, Active Measures: The Secret History of Disinformation and Political Warfare pp. 101-227. 643 Rid, pp. 288-297.


229

The more an intelligence agency engages in organised and persistent disinformation operations, the more disinformation is likely to have been deposited in official archives and the memories of former officers.644

The United States (US) also used disinformation extensively during the Cold War; the Central

Intelligence Agency (CIA) maintained a bureau in Berlin which ran lengthy and complicated

operations, either conceived and undertaken from within the agency itself, or in support of local

actors engaging in operations against the Soviet Union in East Berlin and elsewhere.645 Given

decades worth of examples to choose from, why are disinformation operations coming to the fore

now? What makes modern disinformation operations more potentially damaging or invasive than

the operations of the past?

While other answers are possible (population density, increase in partisanship, globalisation, etc.),

I argue that cyberspace is a force multiplier of modern disinformation operations. Because modern

disinformation operations increasingly target the audiences of democratic nations rather than the

elites (such as policymakers, though they are likely still targeted), disinformation campaigns are

increasingly capable of directly influencing not just national policies (through elites, as in

antecedent times), but through the leadership of nations. Vladimir Putin, for example, was known

to have preferred the candidature of Donald Trump over that of Hillary Clinton in the US 2016

elections, and that it was at “the direction of the Kremlin [that] the IRA sought to influence the

2016 US presidential election by harming Hillary Clinton’s chances of success and supporting

Donald Trump.”646 It was, therefore, in the interests of the Russian administration that one

candidate be favoured in that election. What was novel was the use of cyber means to enhance the

effectiveness of targeting sectors of the US population.

Despite these sorts of actions being unlawful according to the United Nations Charter, meddling

in the internal affairs of foreign states is not new in international relations. The communications

potential of cyberspace, particularly through the massive social media platforms, multiplies the

access opportunities for foreign nations to gain influence and interference opportunities. The

insecure nature of the Internet as well as cyber-physical technologies647 represents a massive

644 Rid, p. 46. 645 Rid, pp. 61-100. 646 Senate Select Committee on Intelligence, “Volume 2: Russia’s Use of Social Media,” 32; See also Uri Friedman, “Putin Said in Helsinki He Wanted Trump to Win,” The Atlantic, July 19, 2018, https://www.theatlantic.com/international/archive/2018/07/putin-trump-election-translation/565481/; Stephanie Murray, “Putin: I Wanted Trump to Win the Election,” Politico, July 16, 2018, https://www.politico.com/story/2018/07/16/putin-trump-win-election-2016-722486; Office of the Director of National Intelligence, “Assessing Russian Activities and Intentions in Recent US Elections.” 647 The Internet of Things will be discussed in a later section of this chapter.


230

challenge in terms of CCI as well, in that there are many intelligence collection and exploitation

opportunities inherent in a highly-connected society that operates under a liberal capitalist

economic system; technological innovation is both comparatively cheap and widely adopted. In

combination with systems of surveillance capitalism as examined by Shoshana Zuboff,648 this

uptake creates an abundance of data that is both available and exploitable. Under these conditions,

where access to the Internet, and to inordinately large volumes of data that can be disaggregated

and used in psychological targeting649 are widely available, and where foreign access to domestic

audiences is barely or not at all limited, the opportunities to undertake extensive disinformation

campaigns with limited or no restriction/retaliation are considerably larger than in prior eras. As

we saw in chapter four, states have largely overlooked the vulnerability of audiences to such efforts,

and CCI has not been developed to increase the audience resilience to such efforts.

The increased capacity to access domestic audiences remotely (which is exploitable by domestic

factions as well, not just foreign actors) in combination with the communication potential of the

social media platforms, and the data that those platforms collect as a matter of course, make

disinformation campaigns undertaken through those same platforms difficult to combat. Initially,

disinformation campaigns must be identified and, if possible, traced to origin and attributed to

the/a responsible actor. This is explicitly a matter for state CCI actors, as belief echoes have

potential consequences for electoral and democratic integrity as well as national security, in the

case of externally imposed strategic narratives. While individual CCI will help in reducing the

instances of successful belief undermining or transformation among the democratic audiences,

state CCI actors will need to mitigate and then manage that threat going forward. Even once a

campaign has been identified, however, there are several factors which make countering that

campaign difficult for counterintelligence actors. The first issue concerns the platforms

themselves; the second, the strategic narratives being conveyed by the disinformation campaigns

and the local context in which they are received, which can impact the third (related) issue of belief

echoes.650 The next several sections will consider these three issues, identifying the importance of

CCI and why greater recognition of threats to audiences is necessary to the ongoing security and

resilience of the modern state.

648 Shoshana Zuboff, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power (London: Profile Books, 2018). 649 Psychometrics and microtargeting will be discussed in a subsequent section of this chapter. 650 There are a range of ethical and political concerns related to these issues, which are beyond the scope of this thesis to address. For a starting point, see Henschke and Reed, “Toward an Ethical Framework for Countering Extremist Propaganda Online.”


231

Preferencing Assets, Forgetting Audiences: The Rise of Disinformation

One of the key points of this chapter is the differentiation of assets and audiences, or more

specifically the differences in elevation of both of those elements. The interaction of cyberspace

and cyber-physical technologies with almost every aspect of everyday life (especially considering

the growth rate of the Internet of Things, see below) means an increase in surface area for attack

by hostile parties; it also means a profusion of intelligence collection stations that, if not properly

secured, can be used to great effect by both domestic and foreign intelligence collectors. The

integration of critical infrastructure technologies with cyberspace has been identified as a

significant national security risk by sovereign governments worldwide, including the case study

country of this thesis, namely the UK. As noted in chapter four, we saw the elevation of cyberspace

as a threat vector, but the focus was on the physical and critical infrastructure: the assets. However,

this focus has resulted in the disregard of the audiences of liberal democratic countries like the UK

– the public, the individuals whose perceptions can be affected by both domestic and foreign

operators. If perceptions can be affected enough, behaviour modification like voting decisions

become possible.

So, why has there been an uneven recognition of the two threat vectors – critical physical

infrastructure and audience psychology? I would argue that the profusion and diffusion of both

highly networked technologies and access to the internet, which is itself fundamentally insecure,

in combination with the ‘cyber doom-sayers,’651 captured the imagination of policymakers and thus

a significant share of defence and intelligence spending and focus. Assets were thus effectively

elevated as the risks to them were made clear. But, as we saw in chapter four, audiences have been

largely overlooked.

Over the last several years, despite the elevation of the threats posed by cyberspace and while there

has been a rise in influence and interference operations which specifically target not just types or

classes of voter, but specific voters, there has not been a parallel rise in efforts to secure and defend

these ‘soft psychological’ targets. Logically, if a foreign actor can avoid the expense of breaking

into technologies and systems by targeting influence operations against democratic populations,

and in this way ‘take part’ in democratic institutions such as elections, less inimical leaders might

be raised to office, whom that foreign actor might find more advantageous. Alternately, the

651 We can look here to former US Special Advisor to the President on Cybersecurity, Richard A Clarke’s concerns about the need to prepare for a ‘cyber Pearl Harbour’ as one such example. See: Richard A. Clarke and Robert Knake, Cyber War: The Next Threat To National Security and What to Do About It (New York: HarperCollins, 2012), https://www.harpercollins.com/products/cyber-war-richard-a-clarkerobert-knake.


232

degradation of alliances and reputation of the country which has been the target of influence

and/or interference operations might itself prove to provide the only advantage that hostile actors

require to obtain greater power and influence over the international system. While

counterintelligence remains primarily the remit of the state, is also important that domestic

audiences be educated both in terms of what is occurring and what countermeasures are being

undertaken, but also in how to ensure that their own actions in cyberspace contribute to their

security rather than detract from it. According to the earlier examinations of the development of

cyberspace as a threat vector in the UK, it is rare that states identify audiences as a critical

vulnerability.

Audiences, then, need to be protected just as critical national infrastructure is protected. This

speaks to the necessity of CCI not only at the state level but also at the level of the individual, and

aggregates of individuals like organised groups. While the state may be able to secure critical

infrastructure from cyber-attack – and this is arguable – the number of actors capable of entering

and operating in cyberspace means that it is no longer possible for the state to be the sole guarantor

of cyber security, whatever that may look like. Because it is now simple for hostile actors to target

domestic populations to engage in foreign interference operations through the use of tools like

disinformation, some responsibility for CCI has necessarily been devolved to the individual actor.

Efficient CCI practices on the part of individuals and organised groups will contribute to the

resilience of the state against cyber-enabled information exploitation and interference and reduce

the attack surface the state must protect. A strategic approach to CCI must acknowledge the risks

to and from the audience and manage that risk appropriately, which will include engaging in

education campaigns targeted at all age levels and sectors of society.

The rise of disinformation and propaganda operations affects audiences not just temporarily but,

in the informational residue — what has been called belief echoes (see below) — in the long-term

as well. The use by both domestic and foreign actors of psychometric targeting based on voter

profiles compiled by consulting firms such as Cambridge Analytica,652 in particular, has enabled

more specific targeting of individual voters – this practice of micro-targeting allows for much finer-

grained operations than could previously have been imagined.653 The fairly opaque nature of the

652 I discuss Cambridge Analytica later in this chapter in the section concerning psychometrics. 653 According to Borgesius et al., microtargeting is a type of (political) communication for which specific data is gathered about an individual and used to create a profile based on which targeted advertisements are shown. Frederik J. Zuiderveen Borgesius et al., “Online Political Microtargeting: Promises and Threats for Democracy,” Utrecht Law Review 14, no. 1 (February 9, 2018): 82–96, https://doi.org/10.18352/ulr.420. For more on


233

large digital social media platforms, particularly Facebook, means that the advertising and

disinformation used in many of these influence operations is only ever seen by the specific

individuals targeted, making it extremely difficult to trace and attribute the operations, but also to

quantify their effects on audiences and thus the political constitution of democratic

administrations.654 This sort of reach and potential impact would have been improbable prior to

the rise of social media platforms and cyber-enabled disinformation, and will require a

comprehensive elevation of audience vulnerability in combination with efficient and widespread

practice of CCI to manage.

Countering Disinformation – Social Media Platforms

One of the primary difficulties associated with countering disinformation campaigns concerns the

social media platforms which convey much of the false information, particularly the massive

platforms of Facebook and Twitter. Facebook has been the subject of considerable scrutiny,

particularly in the US, following the revelations of Russian influence operations being undertaken

via that platform in the run-up to the 2016 presidential elections. The Senate Select Committee on

Intelligence, which undertook an almost three-year investigation on Russian interference, called

Facebook and Twitter upper management to testify several times over the course of the

investigation; representatives of the social media giants were also asked to testify in the UK 's

investigation into interference in the Brexit referendum.655

Google as a search engine is as likely to convey disinformation as it is facts; results appear to the

individual searcher according to both search terms used and according to what Google's search

algorithm decides would be of greatest interest to the individual conducting the search. Regardless,

microtargeting, see Kyle Endres and Kristin J. Kelly, “Does Microtargeting Matter? Campaign Contact Strategies and Young Voters,” Journal of Elections, Public Opinion and Parties 28, no. 1 (January 2, 2018): 1–18, https://doi.org/10.1080/17457289.2017.1378222; Young Mie Kim et al., “The Stealth Media? Groups and Targets behind Divisive Issue Campaigns on Facebook,” Political Communication 35, no. 4 (October 2, 2018): 515–41, https://doi.org/10.1080/10584609.2018.1476425; Chris Tenove et al., “Digital Threats to Democratic Elections: How Foreign Actors Use Digital Techniques to Undermine Democracy” (Centre for the Study of Democratic Institutions, 2018), https://www.ssrn.com/abstract=3235819. 654 Amer and Noujaim, The Great Hack; Zuboff, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power. 655 Despite several requests, Mark Zuckerberg never appeared before the UK investigative committee, nor did any Facebook employee. Twitter representatives also failed to appear before that same committee. Facebook, Twitter, and Alphabet (Google) representatives were called to testify multiple times before Congress during American investigations into potential interference. Five volumes were published by the Senate Select Committee on Intelligence (SSCI) concerning the allegations of Russian interference in US elections, which can be found at the Homeland Security Digital Library: U.S. Department of Homeland Security, “Homeland Security Digital Library,” Homeland Security Digital Library, accessed March 20, 2021, https://www.hsdl.org/?search&exact=Senate+Report+on+Russian+Interference+in+2016+Elections&searchfield=series&collection=limited&submitted=Search&advanced=1&release=0&so=date.U.S. Department of Homeland Security.


234

given that it is the primary filter and source of information for people, the proliferation of

disinformation that can be surfaced through Google is of great concern. Of more concern in the

current era, however, are specifically the social media giants Facebook and Twitter. Until recently,

both platforms had a view toward publication of information that amounted to a free-for-all policy

– individuals have a right to freedom of speech and could publish it as they saw fit. With the rise

of disinformation and increasing partisan battles over elections, and the potential of foreign

interference in democratic institutions, the social media platforms have had to design increasingly

specific policies and justifications for those policies. After years of advocating a right to unfettered

public communication,656 Twitter then-CEO Jack Dorsey started to take an increasingly active role

in identifying and flagging potential breaches of their accurate information policy. Tweets that

could contain false or misleading identification are flagged as such – see Figure 6 - Twitter flags

potential disinformation.657

Figure 6 - Twitter flags potential disinformation

However, this is a recent policy; up until March 5, 2020, Twitter performed no regulatory function

in terms of allowable publication of Tweets, unless those Tweets incited violence.658 Prior to the

656 Austin Carr, “When Jack Dorsey’s Fight Against Twitter Trolls Got Personal,” Fast Company, April 9, 2018, https://www.fastcompany.com/40549979/when-jack-dorseys-fight-against-twitter-trolls-got-personal. Carr. 657 Donald Trump’s Twitter account was suspended in January 2021 following the insurrection of January 6, however his tweets can still be found on the Internet Archive. See Donald Trump, “Nevada Is Turning out to Be a Cesspool of Fake Votes. @mschlapp & @AdamLaxalt Are Finding Things That, When Released, Will Be Absolutely Shocking!,” Twitter, November 10, 2020, https://web.archive.org/web/20201109195514/https://twitter.com/realdonaldtrump/status/1325889532840062976. 658 Yoel Roth and Ashita Achuthan, “Building Rules in Public: Our Approach to Synthetic & Manipulated Media,” Twitter, February 4, 2020, https://blog.twitter.com/en_us/topics/company/2020/new-approach-to-synthetic-and-


235

current practice of flagging potential disinformation to the consumers of information on the

Twitter platform,659 false information could be introduced and circulated without restriction or

regard for potential consequences. This made, and still makes, the Twitter platform an ideal vehicle

for disinformation operations regardless of the initiating actor. As of October 2020, there are

approximately 340 million users of Twitter.660 How many of those users are legitimate individuals

rather than fake accounts is both debatable and subject to change. If even 70% of those active

accounts are legitimate individuals, however, that is still a considerable number of people that were

likely to come across misinformation or disinformation at some point during their interactions

with the Twitter platform. The practice of information laundering makes that spread of

disinformation both degrees of magnitude larger than just the original post audience, and more

difficult to track and subsequently manage.661

Facebook has a larger audience than Twitter by several orders of magnitude, with approximately

2.7 billion monthly active users as of October 2020 according to Omnicore’s most recent update.662

Facebook has also been identified as a significant vehicle for disinformation: in particular, around

Russian disinformation campaigns that took place in relation to the US presidential campaigns and

election in 2016, and the midterm elections of 2018. Facebook CEO Mark Zuckerberg has been

strident in his objections against Facebook taking a role in the policing of information accuracy in

the political information ecology, stating that it is not up to Facebook to censor or otherwise

restrict what people chose to post or to read.663 While Zuckerberg may be correct in stating that it

manipulated-media.html. I note here that Twitter first started to really limit content with the rise of so-called Islamic state, and its use of Twitter to distribute violent content and ideas. See Conway et al., “Disrupting Daesh.” Roth and Achuthan, “Building Rules in Public.” I note here that Twitter first started to really limit content with the rise of so-called Islamic state, and its use of Twitter to distribute violent content and ideas. 659 Yoel Roth and Nick Pickles, “Updating Our Approach to Misleading Information,” Twitter, May 11, 2020, https://blog.twitter.com/en_us/topics/product/2020/updating-our-approach-to-misleading-information.html. 660 Omnicore, “Twitter by the Numbers (2021): Stats, Demographics & Fun Facts,” January 6, 2021, http://www.omnicoreagency.com/twitter-statistics/. 661 European Parliament. Directorate General for Parliamentary Research Services., “Automated Tackling of Disinformation: Major Challenges Ahead.” (Euopean Parliamentary Research Service, 2019), https://data.europa.eu/doi/10.2861/368879; Kirill Meleshevich and Bret Schafer, “Online Information Laundering: The Role of Social Media,” Alliance For Securing Democracy (blog), January 9, 2018, https://securingdemocracy.gmfus.org/online-information-laundering-the-role-of-social-media/; Boris Toucas, “Exploring the Information-Laundering Ecosystem: The Russian Case,” Center for Strategic & International Studies, August 31, 2017, https://www.csis.org/analysis/exploring-information-laundering-ecosystem-russian-case. European Parliament. Directorate General for Parliamentary Research Services., “Automated Tackling of Disinformation”; Meleshevich and Schafer, “Online Information Laundering”; Toucas, “Exploring the Information-Laundering Ecosystem.” 662 Omnicore is a digital marketing agency. Omnicore, “Facebook by the Numbers (2021): Stats, Demographics & Fun Facts,” January 6, 2021, http://www.omnicoreagency.com/facebook-statistics/. 663 Cecilia Kang and Mike Isaac, “Defiant Zuckerberg Says Facebook Won’t Police Political Speech,” The New York Times, October 17, 2019, sec. Business, https://www.nytimes.com/2019/10/17/business/zuckerberg-facebook-free-speech.html; Tom McCarthy, “Zuckerberg Says Facebook Won’t Be ‘arbiters of Truth’ after Trump Threat,”


236

is not Facebook’s responsibility what information its users choose to engage with, I contend that

the social media platform does bear a responsibility to at least identify where disinformation may

be proliferating, in order to ensure the resilience of its users against influence or interference.664

Facebook representatives appearing before the Senate Select Committee on Intelligence (SSCI),

and before Congressional hearings about social media and disinformation, have been subject to a

scrutiny that until recent years social media platforms had been able to avoid. As a result of the

identified disinformation campaigns undertaken in part through Facebook relating to the 2016

Presidential election, Facebook now identifies articles and posts that may contain disinformation

or are other falsely representing whatever is communicated in the post.665 Arguably, this is too little

too late – Facebook and Twitter, and associated social media platforms such as Instagram, have

contributed as vehicles of disinformation to the already-declining public trust in institutions. The

public is now aware that not all information conveyed through these sites is accurate or a correct

representation of whatever content is being communicated.666 Over 2 billion people have been

operating within social media information ecologies wherein the information is not certifiably

accurate – and, because of the search and association algorithms, are often only exposed to news

and information sources that align with views already held. These are ascertained through the

immense volumes of data available to exploitation by these platforms.667

Because audiences have not been elevated as a security risk until recently, these individuals have

been vulnerable to both domestic and foreign influence operations, which are difficult to both

track and quantify. Facebook, for example, does not keep an archive of political advertising

displayed through its marketing portal, nor a record of the individuals targeted by specific ads. As

Carole Cadwalladr identified in her exhaustive investigation of the Cambridge Analytica episode

(discussed in the microtargeting and psychometric profile sections later in this chapter), Facebook

the Guardian, May 29, 2020, http://www.theguardian.com/technology/2020/may/28/zuckerberg-facebook-police-online-speech-trump. 664 For an examination of ethical frameworks for countering online propaganda, see Henschke and Reed, “Toward an Ethical Framework for Countering Extremist Propaganda Online.” 665 Mark Wilson, “Here Is Facebook’s First Serious Attempt To Fight Fake News,” Fast Company, December 15, 2016, https://www.fastcompany.com/3066630/here-is-facebooks-first-serious-attempt-to-fight-fake-news. 666 Janna Anderson and Lee Rainie, “The Future of Truth and Misinformation Online,” Pew Research Center, October 19, 2017, https://www.pewresearch.org/internet/2017/10/19/the-future-of-truth-and-misinformation-online/; West, “How to Combat Fake News and Disinformation.” 667 This quantity and quality of data is referred to by Shoshana Zuboff as behavioural surplus, and informs much modern advertising today. Zuboff, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power. pp. 63-97.


237

advertising is a black box – unless you are the individual targeted for specific advertising, you will

not see that content.668

The lack of accurate or available records from Facebook, especially given their volume of monthly

active users and global reach, is particularly concerning when trying to identify or trace foreign

interference operations. Disinformation campaigns can be difficult to trace and attribute without

considering the difficulty of gathering the examples of disinformation that are being accepted by

viewers as accurate news; a recent study indicated that a growing number of people get their news

solely from the large social media platforms.669 This narrows the channel of information they have

access to, but also increases the likelihood that they may not realise they have been deceived by an

information operation, the content of which may then go on to change their perceptions (for

example, on policies or politicians), and could then lead to behaviour modification. Over the last

few years, and as further information has been released about not only cyber-enabled

disinformation operations, but the role of the social media platforms as vehicles of disinformation

operations, the recognition of audiences as a security vulnerability by the social media platforms

has resulted in the elevation of audiences to a security risk – and attempts are being made to

manage that risk.

Despite its centrality to counterintelligence, countering disinformation online can be difficult. This

is in part because of the focus on assets, and the fact that audiences have not been elevated. The

analysis in chapter four of the UK’s elevation of cyberspace threat identified that while assets have

been riskified, there has been a failure to elevate the threat to and from audiences and this has

resulted in an uneven approach to CCI and understanding of cyber-enabled threats such as

disinformation. Acknowledging and understanding the role of the individual – the human factor

– in cyber security through the education and implementation of CCI societally will contribute to

the overall cyber security of the state, but this can only occur once governments comprehensively

elevate the role of the audience in cyber security as both a vulnerability (as a target of

disinformation campaigns) and a threat vector (in the case of successful disinformation

668 Cadwalladr first investigated the importance of this practice when tipped off by a Facebook user about advertising appearing on their feed, of which they had taken screenshots (pertaining to the Brexit referendum). Cadwalladr in Amer and Noujaim, The Great Hack. 669 Elisa Shearer, “Social Media Outpaces Print Newspapers in the U.S. as a News Source,” Pew Research Center (blog), December 10, 2018, https://www.pewresearch.org/fact-tank/2018/12/10/social-media-outpaces-print-newspapers-in-the-u-s-as-a-news-source/; Peter Suciu, “More Americans Are Getting Their News From Social Media,” Forbes, October 11, 2019, https://www.forbes.com/sites/petersuciu/2019/10/11/more-americans-are-getting-their-news-from-social-media/; Amy Watson, “Usage of Social Media as a News Source Worldwide 2020,” Statista, June 23, 2020, https://www.statista.com/statistics/718019/social-media-news-source/.


238

campaigns). Understanding methods of and approaches to CCI, as outlined in chapter five, will

aid in the analysis and elevation of cyber-enabled threats and contribute to the design of both

tactical and strategic response plans. Further, there are a range of practical issues, not only in terms

of technical capacity to locate and disable bot accounts or illegitimate accounts (foreign operatives

masquerading as locals), but in countering the ‘accepted knowledge’ or ‘accepted truth’ of

communities that have been successfully influenced by false information. The next section

considers the role and consequences of strategic narratives.

Countering Disinformation - Strategic Narratives

We have discussed the profusion and diffusion of disinformation through the social media

platforms that can be part of campaigns designed to influence domestic populations. But what is

the actual purpose of the disinformation? What are these operations trying to convince people of?

On the definition above, false information that is circulated without a specific purpose is just

misinformation – with attention, it can be countered and corrected. However, disinformation is

false information that is circulated with a specific, typically political, intent – there is a specific goal,

and, to accomplish this goal, it follows that there must be a strategic narrative that these operations

are working to enforce. As I argue, effective CCI recognises the centrality of strategic narratives

and acknowledges the necessity of managing or mitigating their effects. Strategic narratives must

be identified and countered by state security agencies to effectively engage in CCI against

disinformation. Further, security agencies must occasionally engage in proactive CCI by creating

and propagating counter-narratives of truth as effectively, efficiently, and quickly as possible to

manage the risk of the false information taking root in audience belief frameworks. The threat to

audience psychology here needs to be elevated in order to prevent a future destabilisation of

electoral integrity, wherein voter decisions are based in whole or in part on disinformation and are

neither free nor informed. In short, CCI, then, is an entirely necessary part of the state response

to foreign interference through strategic narratives and disinformation.

A strategic narrative is the overall story within which the disinformation content operates, the goal

toward which influence operatives work with respect to their target audiences. “Strategic narratives

are crafted by political actors with a specific intention in mind: influencing an audience.”670 A

disinformation operation designed to influence specific segments of a population (particularly in a

democratic nation) needs to have a number of elements in order to be successful: highly specific

670 Olivier Schmitt, “When Are Strategic Narratives Effective? The Shaping of Political Discourse through the Interaction between Political Myths and Strategic Narratives,” Contemporary Security Policy 39, no. 4 (October 2, 2018): 488, https://doi.org/10.1080/13523260.2018.1448925.


239

targets; a particular goal or behavioural modification; and, importantly, a thorough understanding

of the domestic political, economic, and societal context, so that the campaign itself doesn't stand

out enough to be immediately identifiable to those targets or any observers. “For an ‘external’

strategic narrative to have a maximal effect in the targeted audience, it must contribute to the work on

local myths. In other words, to be effective, a strategic narrative must be able to resonate with local

political myths.”671 If a hostile party attempts to exert covert influence on a foreign population

without a thorough understanding of the context in which this influence is intended to operate,

there is a reasonable chance that it will not succeed because it does not resonate with the pre-

existing local myths or closely-held socio-political beliefs of the target population. The importance

of understanding the belief structures of the targeted populations cannot be overstated in the

design of successful disinformation campaigns, which is why the audience needs to be recognised

as vulnerable and a vulnerability and elevated to a security risk to induce greater investment in

protection and countermeasures.

The strength of a strategic narrative is not the sole guarantor of success in a disinformation

campaign – anything involving the influence of human perception or attempted (covert) behaviour

modification must deal with the vagaries of the human psyche, which are themselves inherently

unpredictable. However, success is more likely if the campaign leans into these pre-existing beliefs

and societal conditions, exacerbating social and partisan divides by feeding disinformation into the

local information ecology. The Protocols of the Elders of Zion, mentioned earlier, had the impact

it did due to the existing anti-Semitic beliefs that were popular throughout Europe. In the modern

information environment, the easiest way of doing this, as discussed in the previous section, is

through the large social media platforms – the ‘you might like this’ algorithm suggests groups or

pages that are akin to what you already show a proclivity toward. The echo chamber that this

creates reinforces pre-existing beliefs by surrounding your digital self with groups and pages that

hold to the same or similar beliefs and convictions, reinforcing them.

It is also important to note that disinformation campaigns rarely run along a single track – studies

of the Russian influence operations against the 2016 and 2018 elections in the US showed multiple,

often confounding operations being run simultaneously. For instance, following the Trump victory

in 2016, a series of pro-Trump and anti-Trump rallies were organised by the IRA for similar

671 Schmitt p. 492.


240

locations and times.672 While it may seem counterintuitive to have two operations with opposite

goals running at the same time, this has the effect of increasing the existing divisions between

groups within a society. The echo chamber adds to the entrenchment of views and beliefs, the lack

of confounding narratives within that echo chamber reducing empathy toward or even knowledge

of contrary views, except to reinforce that those alternate views are either wrong or the minority.

It is also worth noting that a strategic narrative is never only about the words used – ideas can be

communicated just as well on social media through symbols, and graphics as words. In fact,

Russian operatives targeted different groups with diverse forms of communication in their

operations. “If strategic communications are 'the use of words, actions, images, or symbols to

influence the attitudes and opinion of target audiences to shape their behaviour in order to advance

interests or policies, or to achieve objectives', it seems right to claim that...the Kremlin definitely

employs them.”673

While Russian disinformation operations are often the most widely publicised, in part due to media

coverage of the US 2016 and 2018 elections, as well as the Senate Select Committee on Intelligence

investigation into the attempted influence operations, the Russian Federation is by no means the

only government that is familiar with, and routinely uses, disinformation campaigns as a matter of

proactive security. Rid discusses the history of American and German operations in Active

Measures,674 and Cindy Otis uses a number of examples of historical disinformation in her volume

True or False.675 Disinformation campaigns can also just as easily be undertaken by domestic actors,

up to and including the governing administration of a country against its own audience, as seen

with the Trump administration's claims of electoral fraud and victory following the election of Joe

Biden as the 46th President of the US in November 2020. Regardless of the attack vector,

disinformation campaigns with a strong strategic narrative, which tie into local myths and reinforce

existing divisions, are a danger to democratic societies. The targeting of domestic audiences

672 “After the election of Donald Trump in or around November 2016, Defendants and their co- conspirators used false U.S. personas to organise and coordinate U.S. political rallies in support of then president-elect Trump, while simultaneously using other false U.S. personas to organise and coordinate U.S. political rallies protesting the results of the 2016 U.S. presidential election. For example, in or around November 2016, Defendants and their co-conspirators organised a rally in New York through one ORGANIZATION-controlled group designed to “show your support for President-Elect Donald Trump” held on or about November 12, 2016. At the same time, Defendants and their co-conspirators, through another ORGANIZATION-controlled group, organised a rally in New York called “Trump is NOT my President” held on or about November” Robert S. Mueller, United States of America v. Internet Research Agency LLC, No. 1:18-cr-00032-DLF (United States District Court for the District of Columbia 2018) p. 23 §57.Robert S. Mueller, United States of America v. Internet Research Agency LLC, No. 1:18-cr-00032-DLF (United States District Court for the District of Columbia 2018) p. 23 §57. 673 Ofer Fridman, “‘Information War’ as the Russian Conceptualisation of Strategic Communications,” The RUSI Journal 165, no. 1 (January 2, 2020): 44, https://doi.org/10.1080/03071847.2020.1740494. 674 Rid, Active Measures: The Secret History of Disinformation and Political Warfare, 17–144. 675 Cindy Otis, True or False: A CIA Analyst’s Guide to Spotting Fake News (New York: Feiwel and Friends, 2020).


241

increases the attack surface available to hostile actors and requires significantly more investment

and attention from state security agencies.

In terms of the strength and efficacy of externally imposed strategic narratives, there are two fronts

with which CCI must engage: identification and management, or identification and mitigation.

Which of these become necessary will depend on the timing of the identification and the breadth

and reach of the actors introducing the disinformation into the targeted political information

ecology. Effective CCI by actors at all levels (state; organised group; individual) will enable the

identification of externally imposed narratives early in the operation. The earlier a narrative is

identified, the better the potential consequences can be managed. Efficient use of tactical CCI is

important at this stage, with the focus being on active practices – identifying the narrative in

question, actively removing, or negating the false information, and generally engaging in risk and

information integrity management, so that the targeted population does not have time to integrate

the false narrative into their belief structures. If the external narrative is not identified before this

stage, however, it becomes a matter of effective mitigation – identifying which parts of the external

narrative are affecting the local population, transforming the strategic approach to those affected

parties such that the false narrative can be rectified, and preventing the further transmission of the

incorrect or negatively framed information. The greater a percentage of the population in a state

that uses CCI in passive and active forms, the higher the resilience of that population to the

imposition of external narratives and infiltration of disinformation. In turn, the higher the

resilience, the more likely it is that external narratives will be identified before they can start to

integrate into local belief structures and affect the integrity of democratic institutions.

Countering a strong strategic narrative from a hostile actor, either foreign or domestic, also

requires significant breadth and depth of knowledge by counterintelligence actors; CCI comes into

play in the protection of domestic actors, the education of the same in increasing their own

security, as well as in the suppression of false information in favour of accurate facts and reporting

across cyber-enabled technologies and social media platforms. According to Oliver Schmitt,

[c]ountering the elements of strategic narratives that resonate with local and coherent myths strongly matter since those myths seem to have high resonance within an entire society...Crafting such counter-narratives will require individuals well acquainted with the local myths of specific political communities, and be able to work with the narrative structures and contents of such myths.676

676 Schmitt, “When Are Strategic Narratives Effective?” p. 506.


242

Counter-narratives, by definition and nature, need to work against the tide of disinformation

campaigns and strategic narratives already in play – they are reactionary, and so need to accurately

read the context of the information landscape and identify areas in which ground can be gained,

and false narratives overturned.677

Ongoing CCI and cyber security efforts can prevent future strategic narratives and disinformation

campaigns from gaining significant ground, but if a strategic narrative is already in play and has

been influencing individuals for a considerable time (and is both based on and complements local

or social myths), it is difficult to convince believers that their convictions are wrongly held.

According to Emily Thorson, “...even when misinformation is debunked, the marketplace [of

ideas] can fail in two ways. First, some people may not believe the correction, instead maintaining

their belief in the false information. This failure is called “belief persistence” ...a second failure of

the marketplace of ideas [is] the possibility that exposure to corrected misinformation may

create...” belief echoes,” or effects on attitudes that persist despite an effective correction.”678

Countering Disinformation – Belief Echoes

Belief persistence and belief echoes are vulnerabilities that can continue to affect perception and

action long after the inaccuracies have been identified and corrections made (or at least attempted)

– “...exposure to misinformation creates belief echoes: Lingering effects on attitudes that persist

even after the misinformation is effectively corrected.”679 Essentially, once a piece of information

has been accepted as true, even if that same information is then proved not to be, and is accepted

to be false, it is still possible that the initial impression created by that false information will

continue to affect an individual's perception of events, people, or information, which will then

affect that person's ongoing opinions and actions. This is a particularly dangerous and problematic

consequence of disinformation campaigns with strong strategic narratives; “...even if a correction

is effective in updating beliefs, it may not change individuals' related attitudes...; “belief echoes”

677 Part of proactively engaging in CCI in the disinformation space would be to identify possible threat narratives and design awareness campaigns that forewarn audiences of what those threat narratives might try to convey, pre-emptively negating future disinformation. This is in line with the Swedish response to foreign interference (particularly Russian active measures), which will be discussed further in chapter six. There are risks to this approach, however; there is no guarantee that the audience will not misremember the pre-emptively-identified disinformation as true, thus negating the counter-narrative operation entirely. 678 Emily Thorson, “Belief Echoes: The Persistent Effects of Corrected Misinformation,” Political Communication 33, no. 3 (July 2, 2016): p. 461, https://doi.org/10.1080/10584609.2015.1102187. 679 Thorson p. 476.


243

[refer] to the situation where misinformation continues to influence related attitudes even when

people's belief is reverted back to the pre-misinformation-exposure state.”680

This presents a unique challenge for CCI – how can the tools of counterintelligence be adapted to

reduce and mitigate the effects of these belief echoes? If false information can be corrected, and

individuals convinced to accept the update to their accepted truths, but the false information

continues to affect their long-term behaviour and perception, then how should counterintelligence

actors proceed to ensure the greatest possible degree of security and resilience? This is assuming

that individuals can be persuaded that their accepted truths are, in fact, falsities – what of those

individuals who choose to maintain their convictions, despite being provided proof to the

contrary? What if the echo chambers of modern socio-political information ecologies have proven

too efficient at maintaining false beliefs? Counter-narratives, then, need to battle strategic

narratives, false information, belief persistence and belief echoes. These are significant challenges

for liberal democratic nations to maintain the integrity of their critical democratic infrastructure.

It is difficult to conceive a counter-narrative wide-ranging and convincing enough that it can be

deployed soon enough after the identification of a hostile actor’s disinformation campaign. It is

moreover difficult to imagine it how it would be able to shift the perception of truth and belief

away from the false narrative in time to prevent that false narrative from becoming embedded in

the identify and belief structures of that individual. A counter-narrative that could do this would

be a proactive CCI operation that would require the same targeting and access to personal

information used by the hostile actor in the initial campaign, which is difficult to both collect and

exploit by domestic intelligence agencies, noting that in democratic nations, these are usually

constrained in their capacity to operate on home soil. The utility of efficient CCI practices being

undertaken consistently in both passive and active form will be most useful in combatting the

potential consequences of belief echoes, as these echoes are based on the continual layering of

information and perspectives built over time, and thus have roots in deeply held beliefs of the way

in which the world works. Educating the audience to engage in passive and active CCI wherever

possible (and, eventually, as a matter of habit) will build the resilience of the audience to introduced

disinformation and strengthen the integrity of a given democracy through verification and

transmission of information that is demonstrably accurate. We see here the need to shift from

active CCI to passive CCI through time, by building resilience in individuals and communities such

680 Jianing Li, “Toward a Research Agenda on Political Misinformation and Corrective Information,” Political Communication 37, no. 1 (January 2, 2020): p. 129, https://doi.org/10.1080/10584609.2020.1716499.


244

that a greater percentage of false information is either rejected or mitigated before potentially

negative consequences can occur. A comprehensive societal approach to and use of active CCI

will allow the state to focus on disrupting the overarching externally imposed strategic narratives

and the overall (dis)information operation. Communicating accurate information and identifying

external narratives will also reinforce the trustworthiness of democratic institutions, like the

governing administration and the mainstream media, both of which are subject to degradation

when disinformation is accepted into belief structures.

The echo chamber effect reinforces the belief echoes, and I argue that short of removing an

individual from the social contexts from which they derive most of their information, it is entirely

possible that even after having false information successfully identified and countered, those

individuals may still be successfully targeted by subsequent disinformation operations because they

are already susceptible to believing that which aligns with their personal views. This may be in part

attributable to their belief echoes. The cycle of reinforcement and narrative strengthening, as well

as broadening in echo chambers, particularly on and through the social media platforms is difficult

to interrupt. This is especially true if the individuals that comprise these social groupings are

disinclined to believe that they or their information may be factually compromised or lacking in

evidence.

Belief echoes cannot be avoided. They are an intrinsic consequence of the human psyche and

information processing sequences. The CCI measures that need to be taken to avoid, insofar as is

possible, the potential negative consequences to democratic populations of belief echoes initiated

by hostile disinformation campaigns are multi-temporal, ongoing, and cannot be guaranteed of

success. Tactical CCI will help mitigate the consequences of cyber-attacks and exploitation in the

immediate and short-term response, but an overarching strategic approach is necessary to prevent

a cyclical exploit-mitigate-exploit situation. Because belief echoes are a fundamental part of the

human psyche, it is questionable whether or not recognition of incorrect information can or will

prevent the echoes of that mis- or disinformation, and how it will affect future perception or

action. It is likely that the longer a belief is held or the stronger the belief, there is a greater

probability that the individual will dismiss counterfactual information, or otherwise refuse to

relinquish the problematic behaviour or assumptions. We also need to recognise the challenge of

cognitive biases like the ‘backfire effect’, which is the “strengthening of an original belief in


245

misinformation that is the subject of an attempted correction.”681 Individual engagement with

passive and, preferably, active CCI measures such as password security and verification of

information prior to transmission will help with this, but such practices need to be identified and

taught, societally.

Those in positions of authority, or with a significant social platform following, are capable of both

reinforcing those beliefs and introducing counter-narratives to combat them; it may be possible to

override the disinformation by communicating through a trusted figure or platform. Counter-

narratives introduced through cyber-enabled technologies and on the social media platforms need

to invite trust by using figures of authority (in the eyes of the target population, not necessarily the

general population), build on local myths and accepted beliefs, and appear or be shared in

significant quantity such that the disinformation is less likely to be seen or believed than the

accurate information. Unfortunately, recent studies have proven that false information is six times

more likely to be shared on social media platforms that accurate information, which makes the

manufacture and spread of factual counter-narratives difficult to both conceive and enact

efficiently.682 Counter-narratives as part of a CCI campaign would need the participation and

support of both state and corporate actors - disinformation campaigns are dangerous to the

democratic health and integrity of modern democracies, and few countermeasures could be

undertaken without the permission and participation of the private platforms through which much

of the disinformation is communicated.

Disinformation campaigns with strong strategic narratives, then, present a very real threat to the

integrity and resilience of modern democracies. In a 2020 interview with The Atlantic, former US

President Barack Obama stated that “[i]f we do not have the capacity to distinguish what’s true

from what’s false, then by definition the marketplace of ideas doesn’t work. And by definition our

democracy doesn’t work.”683 Former US Vice President Dick Cheney opined that disinformation

campaigns of the sort alleged to have been conducted by Russian against US elections constituted

681 Gregory J. Trevors et al., “Identity and Epistemic Emotions During Knowledge Revision: A Potential Account for the Backfire Effect,” Discourse Processes 53, no. 5–6 (July 3, 2016): p. 341, https://doi.org/10.1080/0163853X.2015.1136507. For more on the backfire effect, see Stephan Lewandowsky et al., “Misinformation and Its Correction: Continued Influence and Successful Debiasing,” Psychological Science in the Public Interest 13, no. 3 (n.d.): 106–31. 682 Dizikes, “On Twitter”; Greenemeier, “False News Travels 6 Times Faster”; Soroush Vosoughi, Deb Roy, and Sinan Aral, “The Spread of True and False News Online,” Science 359, no. 6380 (March 9, 2018): 1146, https://doi.org/10.1126/science.aap9559. 683 Barack Obama, The Atlantic Daily: Our Interview With Barack Obama, interview by Caroline Mimbs Nyce, November 17, 2020, https://www.theatlantic.com/newsletters/archive/2020/11/why-obama-fears-for-our-democracy/617121/.


246

an attempt “to interfere in major ways with… basic, fundamental democratic processes,”

continuing that “in some quarters that would be considered an act of war.”684 If democratic

populations are unable to ascertain which sources are trustworthy and which are not, the social

contract between governments and citizens will start to wear thin as distrust of institutions, already

low, spreads. Why, then, has it taken so long for audiences to be recognised as an acute security

vulnerability, as much at risk of attack as critical infrastructure, if not more so?

Elevating the Audience

According to the elevation theory framework, several elements need to be present in order for an

elevating act to be successful – in other words, for either riskification or securitisation to occur.

There must be an identified concern that can no longer be handled with normal political powers;

there must be an identified opponent; there must be a relationship of historical conflict or distrust

between the attacker and the target; there must be an observable record of increasing hostile action;

and the increase in risk or threat should be justified before, and accepted by, the general population

(being the audience of a democracy). Elevation theory also stipulates that rather than a

performative justification by a legitimate authority, that certain events and even images can be

considered elevating acts in and of themselves. Consider the 9/11 attacks and the well-known

image of the ruined twin towers, which immediately securitised international terrorism and kick-

started more than two decades of conflict in the Middle East.685 Alternately, the published

statements or policies of a governing administration can serve as elevating discourse, which is the

approach I undertook in chapter four. The analysis of the UK demonstrated that cyberspace is

being elevated as a threat to national security at the state level, and multiple measures of risk

management have been undertaken. The cyber security strategies analysed illustrate the growing

understanding that disinformation has the potential to negatively affect national security. In the

period analysed, however, the UK did not seem to develop a thorough understanding of the

potential consequences of cyber-enabled disinformation on the British audience. While there was

a continued focus on assets (infrastructure, data, systems), there was not a simultaneous elevation

of the threats to the audience.

684 Obama. Dick Cheney, quoted in Petra Cahill, “Cheney Says Russian Meddling in U.S. Election Possibly an ‘Act of War,’” NBC News, March 29, 2017, https://www.nbcnews.com/politics/white-house/dick-cheney-russian-election-interference-could-be-seen-act-war-n739391. 685 I consider a number of cyberspace-based elevating events in chapter three: Stuxnet; GhostNet; Flame; Estonia 2007; Georgia 2008; and the NSA PRISM revelations.


247

I argue that the semi-covert nature of disinformation operations against foreign publics prevented

an elevation of foreign interference until such time as that interference and its constituent influence

operations (disinformation campaigns being one form of influence and interference) became

apparent and more widely recognised. Had there been a strategic approach to CCI and a society-

wide understanding of CCI measures in relation to personal as well as national security, these

campaigns may not have been as successful as they were. Even so, what we have seen over the

past several years in terms of foreign interference campaigns has contributed to event-based

elevation more than a lengthy political justification process. Following a brief overview of the

ongoing importance of audiences not just to elevating acts but to security, subsequent sections will

examine psychometric data and micro-targeting before considering two examples of elevation: one

successful, and one failed. The chapter will conclude with a discussion of threat elevation in

cyberspace and the related development and importance of CCI specific to political information

ecologies.

Overlooking Audiences

The human factor is as important to cyber security and counterintelligence as any technology. Why

then have decision makers continued to weigh infrastructure security more heavily than the

security and resilience of national audiences? The strategic vulnerability of domestic populations

in an era of high technologies and instantaneous communication is being recognised, and there

have been moves to elevate audiences in recent years. However, as we saw in the UK case study,

national security leaders have continued to emphasise threats to infrastructure and data over

threats to audiences from influence and interference campaigns. I posit that this is an error in

judgement which has contributed to the increase in hostile partisanship within nations, a decrease

in public trust in institutions, and the success of foreign strategic narratives over factual accuracy.

In democracies in particular, the perception, opinions and behaviour of the domestic population

have considerable influence over the national and international policies of a state, given they elect

their leadership according to a specific and temporally regulated cycle.

Despite this strategic importance and power, however, audiences have only just begun to receive

the recognition and attention required in highly connected democracies. This ease of connection,

the instantaneous flow of information from one side of the planet to the other, and the difficulty

of differentiating true from false in terms of both information and people on the Internet, have

increased the risks of an unprotected and (relatively) cyber-ignorant domestic population.

Accepting the strategic importance of the audience in a democracy and the necessity of protecting


248

the integrity and resilience of audience opinion, perception, and information, how are people being

targeted? How are domestic and foreign actors choosing which segments of the population to

target to achieve a higher degree of acceptance of their chosen strategic narrative? The answer lies

in the exploitation of the inordinately large volume of information produced each day – massive

quantities of data are being used in the construction of psychometric profiles, which are then used

for micro-targeting.686 The next sections will examine the collection of data across multiple

platforms including the Internet of Things, the concept and use of psychometrics, and the practice

of micro-targeting.

Data Collection and the Internet of Things

The ‘five Vs’ of big data that were identified earlier in this thesis – volume, variety, veracity,

velocity, and value — are useful to describe the ‘pile of needles’ problem. There is so much data

available, and increasing rapidly, that finding the data you need is becoming progressively more

difficult - locating a specific needle in a pile of needles, rather than the former problem of finding

a needle in a haystack. As cyber-enabled technologies proliferate and surveillance capitalism

becomes integrated into every facet of daily life, these problems are going to increase

astronomically. Gradually, the technologies that we surround ourselves with in everyday life –

Alexa, Siri, smart fridges, mobile phones, smart televisions, etc. – collect data on how that

technology is used, as well as on the different people using that technology. All this data is

collected, stored, and exploited, either by the maker of the technology or by third parties to whom

that data is sold – often consented to in the (never read) terms of service agreed to by new users.687

The increasing number of cyber-enabled technologies that depend on cyberspace, at least in part,

for full functionality and emit a continual stream of data, represent a continual growth in the global

appetite for data, which an article in The Economist has claimed now surpasses oil as the most

valuable asset in the world.688 Every part of society is becoming digitised, connected – even

children, unable to consent, are becoming contributing parts of the Internet of Things, as their

686 Borgesius et al., “Online Political Microtargeting”; John Rust and Susan Golombok, Modern Psychometrics: The Science of Psychological Assessment (New York: Routledge, 2009), https://www.routledge.com/Modern-Psychometrics-The-Science-of-Psychological-Assessment/Rust-Golombok/p/book/9780415442152. 687 David Berreby, “Click to Agree with What? No One Reads Terms of Service, Studies Confirm,” The Guardian, March 4, 2017, https://www.theguardian.com/technology/2017/mar/03/terms-of-service-online-contracts-fine-print; Caroline Cakebread, “You’re Not Alone, No One Reads Terms of Service Agreements,” Business Insider Australia, November 15, 2017, https://www.businessinsider.com.au/deloitte-study-91-percent-agree-terms-of-service-without-reading-2017-11. 688 The Economist, “The World’s Most Valuable Resource Is No Longer Oil, but Data,” The Economist, May 6, 2017, https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data. This point was also made by former Cambridge Analytica employee Brittany Kaiser – see Amer and Noujaim, The Great Hack. The Economist, “The World’s Most Valuable Resource Is No Longer Oil, but Data.” This point was also made by former Cambridge Analytica employee Brittany Kaiser – see Amer and Noujaim, The Great Hack.


249

toys and educational applications and technologies provide information to not only their guardian

adults, but the owners of the devices and platforms they use.689

Many of these cyber-enabled technologies never have their default factory settings changed – these

are the easiest devices to target for malicious actors seeking to build a botnet (examined in chapter

five), because they can be hijacked en masse, with a single script able to locate and access each

device.690 Devices like televisions, speakers, fridges, and air conditioning units that are cyber-

enabled project data which is scooped up by the manufacturer of the device, but can also be

exploited by hostile actors. The botnets used against Estonian systems in 2007 have been estimated

to include anywhere between hundreds of thousands to two million IoT devices alongside actual

computers.691 It is not out of the realm of the reasonable to assert that there are few spaces in the

modern age which, despite being considered a ‘private’ space like the home, have no form of

surveillance or data collection being undertaken therein – the connected home is actually a source

of data about the individual/s that live/s there. This doesn't begin to consider the commercial

surveillance like CCTV, security cameras, or traffic monitoring systems that are so public and

accepted that they are often not observed or noticed at all – public spaces can be monitored by

legitimate authorities as a matter of course.692

Consider the mobile phone - portable, roaming personal surveillance and data production

platforms. These devices are sources of an incredible volume of psychometric and targeting data.

In addition to geolocation capabilities through modern tracking, individuals increasingly use their

mobile phones as an integral life platform – all things which can be done on the phone increasingly

are done on the phone, concentrating an inordinate volume of personal information on a singular

689 Kate Fazzini, “Toys and Apps Often Track Your Kids and Collect Information about Them — Here’s How to Keep Them Safe,” CNBC, November 24, 2018, https://www.cnbc.com/2018/11/23/connected-toys-privacy-risks.html; Chavie Lieber, “Big Tech Has Your Kid’s Data — and You Probably Gave It to Them,” Vox, December 5, 2018, https://www.vox.com/the-goods/2018/12/5/18128066/children-data-surveillance-amazon-facebook-google-apple; Cristina Miranda, “Buying an Internet-Connected Smart Toy? Read This.,” Consumer Information, December 6, 2018, https://www.consumer.ftc.gov/blog/2018/12/buying-internet-connected-smart-toy-read. 690 This was one of the functions of the Mirai malware, which “spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default usernames and passwords.” Brian Krebs, “Who Makes the IoT Things Under Attack?,” Krebs on Security (blog), October 3, 2016, https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/. See also Josh Fruhlinger, “The Mirai Botnet Explained: How IoT Devices Almost Brought down the Internet,” CSO Online, March 9, 2018, https://www.csoonline.com/article/3258748/the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internet.html; Anthony Spadafora, “Mirai Botnet Returns to Target IoT Devices,” TechRadar, March 19, 2019, https://www.techradar.com/news/mirai-botnet-returns-to-target-iot-devices. 691 Davis, “Hackers Take Down the Most Wired Country in Europe”; Steve Mansfield-Devine, “Estonia: What Doesn’t Kill You Makes You Stronger | Elsevier Enhanced Reader,” Network Security, 2012, https://doi.org/10.1016/S1353-4858(12)70065-X. 692 Fritz Allhoff and Adam Henschke, “The Internet of Things: Foundational Ethical Issues,” Internet of Things 1–2 (September 2018): 55–66, https://doi.org/10.1016/j.iot.2018.08.005.


250

device which emits data to not only the device manufacturer but many, if not all, of the application

designers that provide the apps (those which organise, entertain, and communicate).693 The

individual creates and transmits an immense volume of data every day, and this data is exploitable

by a variety of actors. By engaging in active CCI practices such as the verification of information

before further transmission or concealment of PII, the individual can reduce their data footprint

and so reduce their targetability. Even passive CCI practices like deleting (unopened) emails from

suspicious or unrecognised addresses, or covering your password when entering it into a device in

a public space will reduce opportunities for malicious actors. That targetability reduction will also

contribute to the aggregate cyber security of the state, because individuals who are less targetable

for information operations represent a lower risk profile.

Psychometrics

Psychometrics is “the science of modern psychological assessment,”694 where characteristics of the

human psyche are measured, including knowledge, abilities, personality traits and attitudes. One

measure of such characteristics is the OCEAN profile – a person’s level of openness;

conscientiousness; extraversion; agreeableness; and neuroticism. Based on the results of the

OCEAN assessment, one can tailor advertising and information in order to influence specific

individuals, instead of massive segments of the population, as with more traditional advertising

campaigns.695 These traits can now be measured with the data that is collected online and through

IoT devices, in addition to any psychological profiles that individuals fill out themselves, and these

profiles become the foundation for psychological campaigns that are designed to influence

individual choice and action. The intent is to analyse data that will provide information on how an

individual thinks; what influences their choices, and how open the individual is to having their

mind changed, or their opinion reinforced on something. If someone is politically neutral and

relatively open to change, for example, it may be easier to sway their perception politically right

693 Nicole Kobie, “The Internet of Things: Convenience at a Price,” the Guardian, March 30, 2015, http://www.theguardian.com/technology/2015/mar/30/internet-of-things-convenience-price-privacy-security; Daniela Popescul and Mircea Georgescu, “Internet of Things - Some Ethical Issues,” The USV Annals of Economics and Public Administration 13, no. 2 (2013): 7; Rolf H. Weber, “Internet of Things: Privacy Issues Revisited,” Computer Law & Security Review 31 (2015): 618–27, https://doi.org/10.1016/j.clsr.2015.07.002. 694 John Rust and Susan Golombok, Modern Psychometrics: The Science of Psychological Assessment (New York: Routledge, 2009), https://www.routledge.com/Modern-Psychometrics-The-Science-of-Psychological-Assessment/Rust-Golombok/p/book/9780415442152 p. 4. 695 J. Isaak and M. J. Hanna, “User Data Privacy: Facebook, Cambridge Analytica, and Privacy Protection,” Computer 51, no. 8 (August 2018): 56–59, https://doi.org/10.1109/MC.2018.3191268; Charles Kriel, “Fake News, Fake Wars, Fake Worlds,” Defence Strategic Communications 3 (2017): 171–89; S. C. Matz et al., “Psychological Targeting as an Effective Approach to Digital Mass Persuasion,” Proceedings of the National Academy of Sciences 114, no. 48 (November 28, 2017): 12714, https://doi.org/10.1073/pnas.1710966114; PsyMetrics, “The OCEAN Profile,” PsyMetrics, 2013, https://www.psymetricsworld.com/ocean.html.


251

with specific, targeted advertising or (dis)information. Someone who has a deep-set political

opinion is less likely to be swayed, and so may be passed over.696

Psychometric profiles, long in use among advertising actors, came to the fore in terms of political

campaigns and profiling with the 2016 US Presidential election and the revelation that Cambridge

Analytica, a political consulting company based in the UK, had undertaken microtargeted

campaigns on behalf of the Cruz and then Trump campaign teams.697 Cambridge Analytica worked

with conservative (right-wing) actors and claimed to have built profiles with between four

thousand and six thousand data points per profile on each voting-age American.698 Psychometrics

profiles, under proper analysis, do not just provide specifics on likes and dislikes – cohesively, they

can also provide information about values and beliefs.699 Once an actor has an in-depth

understanding (or even just a surface understanding in combination with sufficient personal

information) of individual values and beliefs, those values and beliefs can be targeted for

manipulation with a strategic application of disinformation. As Dr. Stelzenmuller proclaimed

before Congress, hostile actors aren’t looking to hack elections; they are looking to ‘hack people's

minds.’700 Psychometric profiles help actors to do exactly that. They contribute to the targeting of

information operations like disinformation campaigns by helping to identify which sections of the

population will be more open to accepting external strategic narratives, or which sections of the

696 Such psychometric targeting has been the province of advertisers and marketers for a while now, at times being highly invasive of customer’s privacy. “Imagine that you buy the following items: Cocoa-butter lotion, a large purse, vitamin supplements (zinc and magnesium) and a bright blue rug. Now imagine that these purchases tell someone that there is an 87 per cent chance that you are pregnant, and due in six months. The company Target did this – used these and other pieces of data to produce a ‘pregnancy score’ for its customers. This surveillance became public knowledge when Target sent a family a ‘pregnancy pack’, congratulating the shopper on their pregnancy. The shopper was a teenage girl, living at home and her parents were unaware that their child was sexually active, let alone pregnant.” Henschke, Ethics in an Age of Surveillance: Personal Information and Virtual Identities, 3. 697 Cambridge Analytica, “CA Political,” July 2, 2017, https://web.archive.org/web/20170702090555/https://ca-political.com/; Harry Davies, “Ted Cruz Campaign Using Firm That Harvested Data on Millions of Unwitting Facebook Users,” the Guardian, December 11, 2015, http://www.theguardian.com/us-news/2015/dec/11/senator-ted-cruz-president-campaign-facebook-user-data. 698 Working with the Trump campaign, Cambridge Analytica designed and released into the political information ecology a variety of false or misleading information and memes, in order to reduce trust in the Clinton campaign and either reduce the likelihood of Clinton receiving votes, or increase the likelihood of undecided voters swaying toward Donald Trump. Using their psychometric profiles and a microtargeting strategy (the software for which was restricted from export prior to 2015 due to being considered 'weapons-grade' communication software) specific to Cambridge Analytica, they identified those individuals and communities likely to be swayed to Donald Trump's campaign. These individuals, the 'persuadables,' those people Cambridge Analytica had identified as being open to persuasion in their voting preferences. Amer and Noujaim, The Great Hack; Cambridge Analytica - The Power of Big Data and Psychographics (Concordia, 2016), https://www.youtube.com/watch?v=n8Dd5aVXLC. 699 CB Insights, “What Are Psychographics?,” CB Insights Research, May 6, 2020, https://www.cbinsights.com/research/what-is-psychographics/. 700 Constanze Stelzenmüller, “The Impact of Russian Interference on Germany’s 2017 Elections,” Brookings (blog), June 28, 2017, https://www.brookings.edu/testimonies/the-impact-of-russian-interference-on-germanys-2017-elections/.


252

population already have embedded beliefs that will aid in the domestic transmission of

disinformation.

What makes modern targeting both more effective and (potentially) more invasive of privacy, and

thus dangerous to the electoral integrity and resilience of modern democracies, is that it is

increasingly difficult to protect sources of information, or indeed to identify when and where a

disinformation campaign is being carried out. This is in large part because the social media

platforms like Facebook have policies in place which prevent full disclosure of advertising. In

terms of the disinformation used by both domestic and foreign actors in the 2016 US election, for

example, Facebook is a black box, as previously mentioned. Unless you were targeted for influence,

you didn't see the advertising or disinformation, short of a targeted individual taking a screenshot

and sharing that further. The use of passive and active CCI measures such as password protection,

enabling device firewalls and privacy settings, concealment of PII and the verification of

information will reduce the individual’s data footprint, and that will reduce the overall pool of

individuals that can be easily targeted for disinformation operations.701

Microtargeting

Microtargeting is not itself a surprising concept – the more information you have on the individuals

within a population, the easier it is to ascertain whether the specific individuals that could make a

difference to your cause are persuadable. Microtargeting allows for a more efficient deployment

of resources relative to the likely gains of an operation – why spend hundreds of thousands

advertising to a large population, when only 10% of that population would ensure a positive

outcome for your campaign? Why take the risk of advertising to a smaller segment of the

population, but not capture the segment that would have made the most difference?

Microtargeting allows campaign initiators to apportion funds and capabilities as efficiently as

possible, to ensure the best possible outcome. When advertisers do this, it is a liberal capitalist

economy at work. When domestic political actors do this, it is strategic campaigning. When foreign

actors do this for political purposes, given sovereignty and non-interference laws and norms, this

is foreign interference in domestic affairs.

In the 2016 US presidential campaign, microtargeting allowed Cambridge Analytica to identify

specific individuals who could be persuaded to vote for the Trump campaign based on their values

701 A significant proportion of the audience would need to engage in these practices to make an observable difference given the amount of data in existence and being produced, but there must be a starting point. For a non-exhaustive list of CCI practices, see Error! Reference source not found..


253

and beliefs, as well as their fears.702 Earlier work was undertaken by Cambridge Analytica for

Republic Senator Thom Tillis (North Carolina), who spent $345,000 for “’micro-targeting’ from

2014 through 2015, geared at helping Tillis defeat Democratic incumbent Kay Hagan in 2014, the

most expensive US senate race in history at the time.”703 Similar targeting identified those

individuals in the UK who, fearful of what continued or further integration with the European

Union could mean for British independence, could be persuaded to vote 'Leave' rather than 'Stay'

in the 2016 referendum on the activation of Article 31.704 The ongoing digitisation of expression

and embrace of highly networked and connected technologies as part of daily life is providing,

through cyberspace and IoT technologies, a continual and vast stream of data that Shoshana

Zuboff calls ‘behavioural surplus’. Behavioural surplus is data about our use of technology, which

provides companies like Google and Facebook with tremendous amounts of revenue.705 Without

education in terms of cyber security and the strengthening of personal resilience to outside

influence, individuals in modern democracies are proving susceptible to the manipulation of

perceptions and behaviour by outside forces, especially through the introduction and

communication of harmful disinformation into the socio-political information ecology that finds

expression across the massive social media platforms.

In addition to the personal responsibility of the individual in regard to verifying the accuracy of

information found online (which I would argue is neither widely understood, nor recognised as

necessary), there is a responsibility on the parts of both the private corporations that run these

platforms to ensure the integrity of information transmitted directly through their networks (such

as Facebook's newsfeed and Twitter's timeline), and, on the part of the state, to ensure that the

domestic population is not being adversely influenced by hostile actors. The difficulty lies in the

vast information attack surface presented by social media, and cyberspace in general. The current

international economic system is designed to take advantage of massive data surplus that users of

cyberspace technologies (like email and online shopping), IoT technologies and social media

platforms generate every single day.

The CCI challenge is to formulate methods of protection and repulsion of hostile actor attempts

at intelligence collection and exploitation, while allowing continued and unimpeded economic

702 Amer and Noujaim, The Great Hack. . 703 Maegan Vazquez and Paul Murphy, “Trump Isn’t the Only Republican Who Gave Cambridge Analytica Big Bucks,” CNN, March 21, 2018, https://www.cnn.com/2018/03/20/politics/cambridge-analytica-republican-ties/index.html. 704 Amer and Noujaim, The Great Hack. 705 Zuboff, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power, 63–97.


254

interactions that both support and contribute to the international economic, communications, and

political systems, and ensuring that government overreach is constrained.706 Consideration must

be taken of the millions of individuals that take part in these interactions and utilise these systems,

both hostile and not. Individual and organised group practices are integral to systemic resilience

of inference below the systemic level and need to be considered in any strategic plan or approach

to CCI; active (potentially proactive) and efficient CCI is required at the systemic level to balance

hostile state and non-state actors. The internal CIR response hierarchy needs to be known and

disseminated so that all actors (individuals, organised groups, states) know how to respond in the

case of an identified cyber incident, exploitation, or operation.

The next sections will consider examples of unsuccessful and successful threat elevation with

recognition of audiences in cases related to cyberspace and counterintelligence. The first example

of unsuccessful elevation is disinformation concerning the COVID-19 pandemic. The subsequent

example, of successful threat elevation and audience recognition, is disinformation and active

measures in Sweden.

Elevation and Audiences – COVID-19 Disinformation

The novel coronavirus pandemic that started in late 2019 and worsened throughout 2020 has

considerably and negatively impacted not only global health but national, regional, and

international stability as states experience a variety of consequences across the economic, political,

and social spectrums. Malicious actors in cyberspace have taken advantage of the unrest and

instability, with cyber-attacks increasing across the board, to the point of being called a cyber

pandemic;707 dark web marketplaces also started advertising COVID-19 discount codes on

706 While the state approach to CCI/avoidance of overreach might involve oversight mechanisms built into the operation and organizational structures of the intelligence community, there is very much an individual interest in engaging in CCI as a method of privacy assurance. If privacy can be considered a political necessity in liberal democracies, as Adam Henschke avers, then there must be a restriction in what information the state can access. Given the reach of the IoT, for example, there is the potential for an extensive and encompassing surveillance network built into people’s homes. To ensure the integrity and resilience of democracy, there needs to be a space for the citizens which the government cannot normally access. Knowledge of surveillance or even knowledge of the potential for state surveillance might have a chilling effect on individual actions and could induce behavioural change; any decision made under these conditions cannot be qualified as a decision freely made, a necessary condition of the democratic system. Henschke, “Privacy, the Internet of Things and State Surveillance.” 707 Interpol, “INTERPOL Report Shows Alarming Rate of Cyberattacks during COVID-19”; Joyce et al., “How to Protect Your Companies from Rising Cyber Attacks and Fraud amid the COVID-19 Outbreak”; Dan Lohrmann, “2020: The Year the COVID-19 Crisis Brought a Cyber Pandemic,” Government Technology, December 12, 2020, https://www.govtech.com/blogs/lohrmann-on-cybersecurity/2020-the-year-the-covid-19-crisis-brought-a-cyber-pandemic.html; Cedric Nabe, “Impact of COVID-19 on Cybersecurity,” Deloitte Switzerland, December 15, 2020, https://www2.deloitte.com/ch/en/pages/risk/articles/impact-covid-cybersecurity.html.


255

malware.708 Disinformation has proliferated and diffused widely and wildly, tying together a

number of different conspiracy theories and communities, from those opposed to vaccinations

(‘anti-vaxxers’) to QAnon.709 Both state and non-state actors are contributing to the hostile and

polluted information ecology surrounding the novel coronavirus, making counter-narratives and

counterintelligence actions and operations difficult to design and deploy effectively, and vitally

important – failures in CCI here can literally lead to increased infection and death rates. One of

the serious concerns surrounding COVID-19 disinformation is not only the immediate impact to

the individuals who are susceptible to such false information, but the long-term impacts of the

rejection of accurate information about a global health threat in favour of 'fake news.'

Conspiracy Theories and COVID-19

COVID-19 is far from the first event or series of circumstances to become the subject of

conspiracy theories but it does serve as a recent illustration of the co-optation of a contemporary

event for information operations and manipulation of local media ecologies. In addition to the

increasing political partisanship and distrust in democratic and international institutions, the novel

coronavirus is producing an in-group/out-group dynamic among those that believe COVID-19 to

be real, and those who believe it to be a fabrication of hostile adversaries. Among the latter group,

there are a number of 'reasons' for their disbelief in the existence of the virus – Former US

President Donald Trump claiming that the virus was a hoax, Brazilian President Jair Bolsonaro

calling COVID-19 ‘the little flu,’ or that it is a creation of a secretive sect trying to control the

world.710 Parallel was the early false messaging from Former President Trump that the US chief

medical advisor Anthony Fauci did not recommend wearing masks;711 that human rights are being

708 Zak Doffman, “New Coronavirus Warning: These ‘COVID-19 Discounts’ Are Now The Most Dangerous Deals Online,” Forbes, March 19, 2020, https://www.forbes.com/sites/zakdoffman/2020/03/19/new-coronavirus-warning-beware-these-covid-19-discounts-the-most-dangerous-deals-online/; Anthony Spadafora, “Hackers Use Covid-19 ‘special Offers’ to Spread Malware,” TechRadar, March 23, 2020, https://www.techradar.com/au/news/hackers-use-covid-19-special-offers-to-spread-malware. 709 Sophie Aubrey, “The Curious Marriage of QAnon and Wellness,” The Sydney Morning Herald, September 26, 2020, https://www.smh.com.au/lifestyle/health-and-wellness/playing-with-fire-the-curious-marriage-of-qanon-and-wellness-20200924-p55yu7.html; E. J. Dickson, “Wellness Influencers Are Calling Out QAnon Conspiracy Theorists for Spreading Lies,” Rolling Stone (blog), September 15, 2020, https://www.rollingstone.com/culture/culture-news/qanon-wellness-influencers-seane-corn-yoga-1059856/; Michael McGowan, “How the Wellness and Influencer Crowd Serve Conspiracies to the Masses,” the Guardian, February 24, 2021, http://www.theguardian.com/australia-news/2021/feb/25/how-the-wellness-and-influencer-crowd-served-conspiracies-to-the-masses. 710 Nick Paton Walsh et al., “Bolsonaro Calls Coronavirus a ‘little Flu.’ Inside Brazil’s Hospitals, Doctors Know the Horrifying Reality,” CNN, May 25, 2020, https://edition.cnn.com/2020/05/23/americas/brazil-coronavirus-hospitals-intl/index.html. 711 Simon Romero, “Fauci Pushes Back against Trump for Misrepresenting His Stance on Masks.,” The New York Times, October 1, 2020, sec. World, https://www.nytimes.com/2020/10/01/world/fauci-pushes-back-against-trump-for-misrepresenting-his-stance-on-masks.html.


256

abrogated by lockdowns;712 that we should just learn to live with the virus and it will burn itself

out eventually.713 Whatever the reasons or beliefs, a number of different conspiracy theories about

the virus have surfaced and picked up momentum, proving the vulnerability of the public to hostile

information operations, and the importance of instituting efficient counter-narrative operations as

essential parts of CCI. The next several sections will examine three of the conspiracy theories

surrounding the novel coronavirus, considering the importance of elevating the threat to the

perception of individuals, and the security of the democratic state through affected resilience and

integrity of democratic institutions.

The 5G Theory

Another COVID-19 conspiracy theory states that the novel coronavirus either doesn't exist and it

is 5G towers that are making people sick, or that 5G towers are transmitting the virus and people

are catching COVID-19 that way.714 While the World Health Organisation has affirmed that no

research exists that linked negative health effects to exposure to wireless technology,

misinformation and disinformation abounds concerning 5G technologies.715 In the UK, "the false

claim that radio waves emitted by 5G towers make people more vulnerable to COVID-19 has

resulted in over 30 acts of arson and vandalism against telecom equipment and facilities, as well as

around 80 incidents of harassment against telecom technicians."716 Four 5G towers have been

subject to arson in Quebec, Canada.717 Stephanie Carvin, formerly of the Canadian Security

Intelligence Service and currently a professor at Carlton University, assesses Russia as the likely

instigator of the 5G disinformation, with a greater reach being enabled by botnets.718 The 5G

conspiracy theory has enjoyed some success among the anti-vaxxer community, creating links

between previously disconnected conspiracy theory communities. Carvin theorises that Russian

712 Reuters, “Australian state Violated Human Rights in COVID Lockdown-Report,” Reuters, December 17, 2020, https://www.reuters.com/article/health-coronavirus-australia-towers-idUSKBN28R0EC; Mirko Bagaric, “High Court Likely to ‘Free’ Covid’s Political Prisoners,” The Weekend Australian, September 22, 2020, https://www.theaustralian.com.au/commentary/high-court-likely-to-free-covids-political-prisoners/news-story/68b63c9c4fe6a7bb78a0cba04ff294e5. 713 Daniel Victor, Lew Serviss, and Azi Paybarah, “In His Own Words, Trump on the Coronavirus and Masks,” The New York Times, October 2, 2020, sec. U.S., https://www.nytimes.com/2020/10/02/us/politics/donald-trump-masks.html; Christian Paz, “All of Trump’s Lies About the Coronavirus - The Atlantic,” The Atlantic, November 2, 2020, https://www.theatlantic.com/politics/archive/2020/11/trumps-lies-about-coronavirus/608647/. 714 Reuters Staff, “False Claim: 5G Networks Are Making People Sick, Not Coronavirus,” Reuters, March 16, 2020, https://www.reuters.com/article/uk-factcheck-coronavirus-5g-idUSKBN2133TI. 715 Reuters Staff. 716 OECD, “Combatting COVID-19 Disinformation on Online Platforms.” 717 Jeremy Cohen, “Cell Tower Vandals and Re-Open Protestors — Why Some People Believe in Coronavirus Conspiracies,” The Conversation, May 22, 2020, http://theconversation.com/cell-tower-vandals-and-re-open-protestors-why-some-people-believe-in-coronavirus-conspiracies-138192. 718 Sam Cooper, “Coronavirus Conspiracies Pushed by Russia, Amplified by Chinese Officials: Experts,” Global News, April 28, 2020, https://globalnews.ca/news/6793733/coronavirus-conspiracy-theories-russia-china/.


257

disinformation surrounding 5G technologies is intended to delay planned rollout in Western

democracies, given their presumed crucial importance to state security.719 The disinformation

campaign is intended to further damage public trust in scientific authorities and public institutions,

particularly those attempting to curb the pandemic.720 In this instance, the disinformation

campaign and prevalence of transmission has resulted in physical damage to both infrastructure

and people in several locations globally. While there are fact-checks available and public

institutions such as government health agencies and the WHO issuing correct information, there

is not presently a strong enough counter-narrative properly targeted at the affected individuals for

there to be a significant chance at combatting the external strategic narrative.

The Microchip Theory

The third of the conspiracy theories to be discussed here is the Bill Gates theory, or the microchip

theory. According to this narrative, the coronavirus vaccine is being developed by Bill Gates and

will contain a microchip intended to provide tracking on all citizens that receive said vaccination.721

This disinformation also contains threads of truth, making it more difficult to counter: the Gates

Foundation has funded COVID-19 vaccine and treatment research, but neither of these have

anything to do with microchips.722 In a Q&A session, Gates referred to the possibility of digital

trust certificates in relation to home or kiosk testing for COVID-19 – this was perceived as an

admission of intent to use something like microchips or ‘quantum-dot tattoos’ in order to track

people.723 Research published in December of 2019 that was funded by the Gates Foundation

related to the potential use of a long-lasting skin dye that could be read by purpose-adapted or –

designed technologies that would identify the subjects vaccination history; certainly not a

technology that could be used to track someone.724 The technology is intended for use in areas of

the world suffering extreme poverty and conflict, where it may be difficult to ascertain whether or

not an individual has been vaccinated and if so, what for.725 This research is not related to COVID-

19, but is the link that conspiracy theorists have used as an explanation of the COVID-19

719 Stephanie Carvin in Cooper. 720 Cooper. 721 Saranac Hale Spencer, “Conspiracy Theory Misinterprets Goals of Gates Foundation,” FactCheck.Org (blog), April 14, 2020, https://www.factcheck.org/2020/04/conspiracy-theory-misinterprets-goals-of-gates-foundation/; Elise Thomas and Albert Zhang, “ID2020, Bill Gates and the Mark of the Beast: How Covid-19 Catalyses Existing Online Conspiracy Movements” (Australian Strategic Policy Institute International Cyber Policy Centre, 2020). 722 Spencer, “Conspiracy Theory Misinterprets Goals of Gates Foundation.” 723 Spencer. 724 Spencer. See the referenced original research on quantum dots: Kevin J. McHugh et al., “Biocompatible Near-Infrared Quantum Dots Delivered to the Skin by Microneedle Patches Record Vaccination,” Science Translational Medicine 11, no. 523 (December 18, 2019), https://doi.org/10.1126/scitranslmed.aay7162. 725 McHugh et al., “Biocompatible Near-Infrared Quantum Dots Delivered to the Skin by Microneedle Patches Record Vaccination.”


258

pandemic in a way that makes sense according to the information they are receiving or to which

they have access. Past experience and research have shown that engaging with anti-vaxxers is

difficult and often counterproductive, with counter-narratives and the provision of verifiable and

accurate information actually entrenching the beliefs of the anti-vaccination community.726 Belief

echoes are difficult to combat because they operate on a subconscious level. Even when an

individual is informed of the false nature of information, the backfire effect could result in the

accurate information being rejected in favour of the pre-existing false information that has become

part of the individual’s belief structure, resulting in belief persistence. In these contexts, the

fundamental utility of CCI measures and the elevation of the threat to audience psychology cannot

be overstated. In order to successfully engage in risk management in terms of disinformation as a

threat to democratic integrity, there must be a recognition of the importance and vulnerability of

audience belief structures. The human factor is an irrevocably important element of CCI, and the

risk to the audience needs to be elevated accordingly.

Further, resistance to vaccination has increased in recent years, such that general immunity to

‘defeated’ diseases like the measles has reduced below the official level of 'herd' immunity in

developed nations like the UK. This is in part due to conspiracy theories linking conditions like

autism to vaccinations (unfounded, demonstrably false, and debunked).727 External strategic

narratives in addition to domestic opposition to vaccinations and distrust of federal authorities is

an increasing global health risk and could put in jeopardy the vaccination and response plan to the

COVID-19 pandemic. Counter-messaging may prove inefficient and vaccination mandates may

further entrench distrust and resistance. It is possible that counter-narratives and

counterintelligence operations will only prove fruitful if used before external narratives can gain a

significant foothold in socio-political information ecologies, which is itself difficult in an era of

instantaneous transmission and multi-actor disinformation campaigns.

726 Erica Weintraub Austin and Porismita Borah, “How to Talk to Vaccine Skeptics so They Might Actually Hear You,” The Conversation, 2020, http://theconversation.com/how-to-talk-to-vaccine-skeptics-so-they-might-actually-hear-you-143794; Amy Corderoy, “Vaccine Expert Julie Leask Says Internet Outrage about Vaccination Risks Make Problem Worse,” The Sydney Morning Herald, March 30, 2015, https://www.smh.com.au/national/nsw/vaccine-expert-julie-leask-says-internet-outrage-about-vaccination-risks-make-problem-worse-20150330-1mb3gp.html; Claire Hooker, “How to Cut through When Talking to Anti- Vaxxers and Anti-Fluoriders,” The Conversation, February 17, 2017, 3. 727 Talha Burki, “Vaccine Misinformation and Social Media,” The Lancet Digital Health 1, no. 6 (October 1, 2019): e258–59, https://doi.org/10.1016/S2589-7500(19)30136-0; Centers for Disease Control and Prevention, “Autism and Vaccines | Vaccine Safety | CDC,” Autism and Vaccines, January 26, 2021, https://www.cdc.gov/vaccinesafety/concerns/autism.html.


259

The Fatal Vaccine Theory

The last of the enduring COVID disinformation narratives to be briefly examined here is the fatal

vaccine theory. According to this theory, one of the vaccines being trialled is actually more

dangerous than the virus itself and is killing the volunteers injected with it. According to the

Australian Strategic Policy Institute, this conspiracy theory appeared around July and is centred

upon American scientists testing vaccines on Ukrainian people in the city of Kharkiv, because the

vaccine was too dangerous to test on Americans.728 This is total fiction, published originally on the

website of a separatist region in Eastern Ukraine that is known to be pro-Russia and anti-American.

The narrative was picked up and laundered, however, by Russian media and eventually filtered into

the international information ecology and by August 2020 had been integrated into the larger

schema of coronavirus disinformation available online to anyone with access to the Internet. This

conspiracy theory has also found a home within the antivax community and is an abiding feature

of the COVID-19 disinformation landscape. We have seen claims that Russia is trying to spread

disinformation about US and European developed vaccines in order to promote the Russian

‘Sputnik V’ vaccine, a continuation of ongoing intent to sow chaos and confusion over vaccines

in order to undermine Russia’s adversaries.729

One of the primary problems with disinformation like a fatal vaccine is that now the true vaccines

are ready for distribution and use; it is more difficult to engage large swathes of the audience that

are already convinced it will do more harm than good. To achieve community resilience against

the novel coronavirus such that contemporary society can find a level of post-COVID normal

(with some semblance of pre-pandemic levels of economic and social stability), as many people as

possible will need to be vaccinated globally. When there are actors engaging in disinformation

creation and communication that result in certain communities refusing vaccination on a variety

of grounds, the ongoing resilience and security of the state becomes questionable.

The international community will need to invest significantly in COVID-19-related CCI; for this

to happen, there needs to be a widespread acknowledgement of the vulnerability of the audience

to imposed strategic narratives and the select introduction of false information into socio-political

information ecologies. This is a matter for the counterintelligence communities of the state as

much as it is an education and resilience issue. As of writing, coronavirus-related disinformation

728 Thomas, “Covid-19 Disinformation Campaigns Shift Focus to Vaccines.” 729 Jessica Glenza, “Russian Trolls ‘spreading Discord’ over Vaccine Safety Online,” the Guardian, August 23, 2018, http://www.theguardian.com/society/2018/aug/23/russian-trolls-spread-vaccine-misinformation-on-twitter; Scott, “In Race for Coronavirus Vaccine, Russia Turns to Disinformation.”


260

was still a significant feature of the international information landscape and no significant or

coordinated active countermeasures were in place. This shows that despite developments in the

elevation of cyberspace as threat, the focus remains on assets rather than audiences, which is

negatively impacting the integrity of democratic societies and causing communities to fracture.

CCI is fundamental, not only to increasing resilience to the adversarial operations of hostile actors

but, in this case, to the ongoing health of the global audience. By engaging in active CCI at the

state level (verifying that accurate information is being disseminated and signal-boosting that

information) and promoting the utilisation of similar, active CCI measures among the population,

governments can restructure the narrative surrounding COVID-19 vaccination efficacy and virus

origins at the same time as restoring audience trust in democratic governance. At the proactive

CCI level, governments could identify and disrupt disinformation narratives in a co-ordinated

fashion. There needs to be a higher degree of communication and coordination between states,

organised groups such as corporations (i.e., the large communications and discovery platforms like

Facebook, Twitter, and Google) to proactively engage in CCI to disrupt the communication and

transmission of disinformation to and between individuals. It is an absolute necessity for the

successful undertaking of CCI that the threats to audience psychology and belief frameworks be

adequately elevated and the consequent risks to democratic integrity managed accordingly. A

failure in risk management in terms of applying CCI to COVID-19 disinformation campaigns

could result in the further elevation of the novel coronavirus through a securitisation by extreme

necessity. Elevation of the threats to audience behaviour and decision-making based on

disinformation and adequate engagement of CCI measures and practices will contribute to the

overall security of the audience, as well as to the international system of states.

Recognition and Resilience: Successful Threat Elevation in Sweden

Where various actors of the international community have failed to elevate the threats to the

general public of disinformation and imposed external strategic narratives in relation to the novel

coronavirus pandemic, Sweden stands out as a state with a recent history of proactive

countermeasures to disinformation operations. Sweden effectively elevated both assets and

audiences, and it engaged in a sustained, rigorous, and nuanced CCI campaign to build resilience in

those audiences.

As early as the 1970s, Sweden had identified the dangers posed to their general public of

disinformation circulated in order to influence public perception, particularly in regards to the


261

then-Soviet Union.730 As a result, the Swedish government has been attentive to disinformation

campaigns and the introduction of false information into Swedish socio-political information

ecologies generally. For example, both the Swedish Media Council and the Civil Contingencies

Agency have teams and publications dedicated to the education of both the professional journalism

and public service sectors, as well as the general public, around the identification of, and resilience

to, disinformation and foreign influence campaigns.731 Sweden has successfully recognised and

elevated the disinformation threat to the general public, identifying the threat to democratic

institutions of a disinformed public operating according to imposed external strategic narratives.

The next sections will briefly examine the relationship between the Swedish public, foreign

influence campaigns (with specific reference to Russian active measures), the Swedish concept of

modern total defence, and the countermeasures utilised in order to ensure community resilience

to external influence.

Audiences and Defence in Sweden

The audience is already recognised as an integral element of modern defence in Sweden, both as a

contributing sector but also as a strategic vulnerability. It is possible that geographic proximity to

the former Soviet Union and then the Russian Federation has impressed upon successive Swedish

governments the dangers posed to democratic institutions by external influence and imposed

strategic narratives – “…in the eyes of Sweden’s security police Säpo the country [Russia] is one

of the biggest intelligence threats to Sweden. It has accused Russia both of spying and trying to

influence the Swedish public debate.”732 Whatever the causes, the fact of the matter is that there is

an overt acknowledgement within Swedish defence and government bodies that in order to

properly secure Sweden from modern threats, there is a twofold state responsibility.733 One, to

730 Martin Kragh and Sebastian Åsberg, “Russia’s Strategy for Influence through Public Diplomacy and Active Measures: The Swedish Case,” Journal of Strategic Studies 40, no. 6 (September 19, 2017): 780–81, https://doi.org/10.1080/01402390.2016.1273830; Rid, Active Measures: The Secret History of Disinformation and Political Warfare, 252–53. 731 Kristine Berzina, “Sweden — Preparing for the Wolf, Not Crying Wolf: Anticipating and Tracking Influence Operations in Advance of Sweden’s 2018 General Elections,” The German Marshall Fund of the United States, September 7, 2018, https://www.gmfus.org/blog/2018/09/07/sweden-preparing-wolf-not-crying-wolf-anticipating-and-tracking-influence; EU vs Disinfo, “In Sweden, Resilience Is Key to Combatting Disinformation,” EU vs DISINFORMATION, July 16, 2018, https://euvsdisinfo.eu/in-sweden-resilience-is-key-to-combatting-disinformation/; Government Offices of Sweden, “A Practical Approach on How to Cope with Disinformation,” Government Offices of Sweden, October 6, 2017, https://www.government.se/articles/2017/10/a-practical-approach-on-how-to-cope-with-disinformation/. 732 Emma Löfgren, “How Sweden’s Getting Ready for the Election-Year Information War,” The Local, April 11, 2018, https://web.archive.org/web/20180411113218/https://www.thelocal.se/20171107/how-swedens-getting-ready-for-the-election-year-information-war. 733 Government Offices of Sweden, “Kommittédirektiv - En ny myndighet för psykologiskt försvar (Committee Directive: A New Authority for Psychological Defence)” (Stockholm, 2018), https://perma.cc/GCF8-Z6HV - machine translation; Elin Hofverberg, “Government Responses to Disinformation on Social Media Platforms,” Web page, September 2019, https://www.loc.gov/law/help/social-media-disinformation/sweden.php#_ftn44.


262

protect the audience insofar as possible from the influence and interference attempts made by

external actors with the intent of socio-political manipulation.734 Second, to educate the audience

such that individuals are capable of identifying disinformation and influence attempts themselves,

increasing individual resilience to such efforts and, in so doing, increasing community resilience to

false information and external strategic narratives.735

According to Swedish Prime Minister Stefan Löfven, the free exchange of ideas and information

is a “precondition for democracy and the rule of law,”736 and, as such, information, and the public's

ability to trust in the accuracy and integrity of that information must be protected. This places both

the importance and the vulnerability of the general public, the democratic audience, squarely in

the centre of state considerations of modern national security. This has resulted in the

Scandinavian state being both highly resilient to, and more aware of, the dangers of disinformation

than other Western democracies. Trust in the media is relatively high and steady in Sweden, and

the Swedish mainstream media are utilised by the Swedish public more so than is news sourced

from social media platforms.737 Mainstream media sources in other Western nations like the US

and Australia, for example, have been suffering an ongoing decrease in public trust in favour of

news sourced through social media, along with increasing distrust in other democratic and

governmental institutions.738

Russian Active Measures in Sweden

While not as widely reported in the international media as campaigns against the more prominent

Western democracies like the UK and the US, Sweden has been the target of multiple Soviet and

then Russian active measures campaigns.739 Previous examples of Russian active measures in

Sweden are akin to traditional measures seen in Cold War operations, such as forgeries. Forged

734 Government Offices of Sweden Ministry of Defence, “Main Elements of the Government Bill Totalförsvaret 2021–2025: Total Defence 2021-2025,” October 15, 2020, 141–42, https://www.government.se/government-policy/defence/objectives-for-swedish-total-defence-2021-2025---government-bill-totalforsvaret-20212025/. 735 Government Offices of Sweden, “Kommittédirektiv - En ny myndighet för psykologiskt försvar (Committee Directive: A New Authority for Psychological Defence)”; Hofverberg, “Government Responses to Disinformation on Social Media Platforms.” 736 Stefan Löfven in The Local, “Sweden to Create New Authority Tasked with Countering Disinformation,” The Local Sweden, January 15, 2018, https://www.thelocal.se/20180115/sweden-to-create-new-authority-tasked-with-countering-disinformation/. 737 Pew Research Center, “Facts on News Media and Political Polarization in Sweden,” Pew Research Center’s Global Attitudes Project (blog), May 17, 2018, https://www.pewresearch.org/global/fact-sheet/news-media-and-political-attitudes-in-sweden/. 738 Henschke, Sussex, and O’Connor, “Countering Foreign Interference: Election Integrity Lessons for Liberal Democracies”; Shearer, “Social Media Outpaces Print Newspapers in the U.S. as a News Source.” 739 Jon Henley, “Russia Waging Information War against Sweden, Study Finds,” the Guardian, January 11, 2017, http://www.theguardian.com/world/2017/jan/11/russia-waging-information-war-in-sweden-study-finds.


263

documents can be inserted into information ecologies to serve as elements of disinformation

campaigns; a modern equivalent might be a spoofed website. A forgery is a concrete form of

disinformation, created specifically to deceive the reader as to the accuracy of its content.740

Forgeries became an art form during the Cold War, with both Eastern and Western intelligence

utilising them extensively.741 While Cold War forgeries reached an impressive level of

sophistication, however, the ease of use of cyberspace and the facility with which one can introduce

false information to a target society seems to have reduced the believability and sophistication

requirements. While forgeries have been used in (and against) Sweden as part of influence and

disinformation operations, they have so far been easily identified and debunked, though like with

all disinformation on the Internet, the documents (or articles about them) do occasionally

resurface, either decontextualised or as 'proof' of a point somebody is trying to make.742

The forgeries identified so far usually involve in some way Swedish defence personnel, be they

military or civilian. Sweden, while not a member of NATO, does cooperate with the defence

alliance and it remains in the interests of the Russian Federation for Sweden to remain outside the

Alliance. Forged documents are usually designed to worsen the relationship between NATO and

Sweden, or NATO's constituent states and Sweden.743 Lacking the attention to detail of their

forebears, however, modern forgeries have not achieved the sophistication or effect of previous

decades' examples. It is also worth noting that even when these forgeries do filter into Swedish

media, they are unlikely to make the intended impact because the Swedish public have been primed

to expect information operations and so are more resilient to attempted active measures than are

populations where governments have not accurately gauged and responded to audience

vulnerability in the information space.

740 For examples of forgeries used as disinformation in deception operations, see Rid, Active Measures: The Secret History of Disinformation and Political Warfare. 741 Rid. 742 Henley, “Russia Waging Information War against Sweden, Study Finds”; Kragh and Åsberg, “Russia’s Strategy for Influence through Public Diplomacy and Active Measures”; The Local, “Russia Spreading Fake News and Forged Docs in Sweden: Report,” The Local Sweden (blog), January 7, 2017, https://www.thelocal.se/20170107/swedish-think-tank-details-russian-disinformation-in-new-study/. 743 Neil MacFarquhar, “A Powerful Russian Weapon: The Spread of False Stories,” The New York Times, August 28, 2016, sec. World, https://www.nytimes.com/2016/08/29/world/europe/russia-sweden-disinformation.html; Ralph Schroeder, “Even in Sweden?: Misinformation and Elections in the New Media Landscape,” Nordic Journal of Media Studies 2, no. 1 (June 7, 2020): 97–108, https://doi.org/10.2478/njms-2020-0009; Margaret L. Taylor, “Combating Disinformation and Foreign Interference in Democracies: Lessons from Europe,” Brookings (blog), July 31, 2019, https://www.brookings.edu/blog/techtank/2019/07/31/combating-disinformation-and-foreign-interference-in-democracies-lessons-from-europe/; The Local, “Russia Spreading Fake News and Forged Docs in Sweden.”


264

Modern Total Defence: Recognition and Audience Resilience

Sweden currently organises national defence and security according to the concept of ‘modern

total defence,’ an idea that explicitly recognises psychological defence, the defence of the mind.744

Swedish governments have recognised that in the modern era, it is as necessary to protect and

improve the resilience of the mind to foreign interference as it is to protect physical infrastructure

and territory. In order to protect the mind, especially in democracies, it is important to protect the

integrity of information and the ability of the population to access that information; as Löfven

stated, such is the precondition for a functional democracy.745 In short, not only did Sweden

effectively elevate audiences in response to the challenges posed by cyber technologies like social

media etc., but they also engaged in population wide CCI campaigns.

In recognising the growing risk to the democratic public as a national security issue, Sweden has

been able to institute risk management measures and thus far avoided any event that may have

necessitated further elevation of audience vulnerability. In managing the risk to the audience,

Sweden has managed to attenuate the risk level – it is now a matter of fact in Sweden that

disinformation is likely to appear, and the Swedish public are both being prepared for that to occur

and educated about how to recognise and confirm disinformation before it has a chance to

significantly affect their perceptions.746 Their education campaigns, as well as their ongoing

commitment to psychological defence, discussed in the next section, are an example to all highly

networked societies of both measures that should be taken in response to successful threat

elevation, and the success of those measures when deployed efficiently and in a timely manner.

Countermeasures – Public Education and Communication as CCI

The Swedish government has a strong contemporary history of recognising the potential risk of

disinformation to democratic integrity. Swedish authorities have recognised the necessity of

744 Ministry of Defence, “Main Elements of the Government Bill Totalförsvaret 2021–2025: Total Defence 2021-2025”; Björn von Sydow, “NATO Review - Resilience: Planning for Sweden’s ‘Total Defence,’” NATO Review, April 4, 2018, https://www.nato.int/docu/review/articles/2018/04/04/resilience-planning-for-swedens-total-defence/index.html. 745 Löfven, “Statsminister Stefan Löfven (S): ”Så ska vi skydda valrörelsen från andra staters påverkan”,” DN. debatt, March 21, 2017, https://web.archive.org/web/20170321054938/https://www.dn.se/debatt/sa-ska-vi-skydda-valrorelsen-fran-andra-staters-paverkan/ - machine translation; Löfven in The Local, “Sweden to Create New Authority Tasked with Countering Disinformation.” 746 EU vs Disinfo, “Building Swedish Resilience,” EU vs DISINFORMATION, March 28, 2017, https://euvsdisinfo.eu/building-swedish-resilience/; Government Offices of Sweden, “Kommittédirektiv - En ny myndighet för psykologiskt försvar (Committee Directive: A New Authority for Psychological Defence)”; Myndigheten för samhällsskydd och beredskap, “MSB i Almedalen: Frukostseminarium Om Informationspåverkan,” Myndigheten för samhällsskydd och beredskap, January 26, 2019, https://web.archive.org/web/20190126040104/https://www.msb.se/sv/Om-MSB/Nyheter-och-press/Nyheter/Nyheter-fran-MSB/MSB-i-Almedalen-Frukostseminarium-om-informationspaverkan/.


265

teaching the audience, the general public, to recognise, analyse, and dismiss false information when

it appeared. The Civil Contingencies Agency (MSB) was mandated with this task and has been

producing materials and broadcasts that educate the individual about false information and how

to identify it.747 The Swedish government has been building the resilience of the Swedish public to

disinformation campaigns, and attempted information operations. As a result, the potential

dangers of disinformation are more widely known than in the larger Western democracies, which

have suffered the consequences of ongoing information campaigns in recent years. The MSB is

also responsible for producing material to educate officials, and, in 2018, produced a handbook

for communications on public education in relation to identifying and countering

disinformation.748

While not a direct method of public education, Sweden has also taken steps to ensure the integrity

of publicly available information by criminalising the production and dissemination of false

information.749 More to the point, it is also illegal to disseminate information that could negatively

affect the national security of Sweden, or to accept remuneration for disseminating foreign

propaganda within the country.750 Swedish journalists are also compelled to maintain certain ethical

standards, and while they would typically “be prosecuted for misinformation,” can be investigated

by the Press Ombudsman for violation of good publishing practices, including a failure to provide

“evidence to substantiate the information…” used in a story.751 There are incentives for individuals

and organised groups to engage in passive and active CCI, because to do otherwise is to risk legal

censure and punishment. By instituting ethical and legal standards surrounding the information

that is available in the official information ecology, and in combination with the MSB’s public

education campaigns, the Swedish government has contributed significantly to the integrity of

public information and their audience’s resilience to the recognised potential threat of

disinformation. By instituting a strategic approach to CCI engagement and education, and

requiring certain standards of individuals and organised groups, the Swedish government has

reduced the number of exploit situations in which they will have to intervene. Contributing to the

747 Hofverberg, “Government Responses to Disinformation on Social Media Platforms”; Myndigheten för samhällsskydd och beredskap, “Om Krisen Eller Kriget Kommer (Whether the Crisis or War is Coming)” (Myndigheten för samhällsskydd och beredskap, 2018), 6, https://perma.cc/4PHH-ZCQG. 748Myndigheten för samhällsskydd och beredskap, “Countering information influence activities : A handbook for communicators,” Myndigheten för samhällsskydd och beredskap, 2018, https://www.msb.se/sv/publikationer/countering-information-influence-activities--a-handbook-for-communicators/.. 749 Hofverberg, “Government Responses to Disinformation on Social Media Platforms.” 750 Hofverberg. 751 Hofverberg; Elin Hofverberg, “Initiatives to Counter Fake News,” Web page, Library of Congress, April 2019, https://www.loc.gov/law/help/fake-news/sweden.php.


266

assurance of accurate information (active CCI) reduces the vulnerability of the population to

disinformation campaigns by virtue of it being less easy for trusted institutions to disseminate

potentially false information.

Countermeasures – Psychological Defence Agency as CCI

The most prescient element of the Swedish modern total defence concept is the incipient creation

of the Psychological Defence Authority, slated to launch officially in 2022.752 The Authority will

consolidate the knowledge and policy of the Swedish government and security services in an

unprecedented agency specific to the defence of the mind. The Authority is mandated to “discover,

counter, and prevent influence campaigns, and disinformation, both national and internationally.

It shall also strengthen the populations resistance [so that people] themselves discover influence campaigns and

disinformation. In addition, the psychological defence must be able to act both in the short term and

in the long term” (emphasis added).753 The Swedish defence research agency (FOI) identified

countering deception, disinformation and propaganda as “one of the three essential components

of psychological defence.”754

There are a couple of notable elements to the mission and purpose of the Psychological Defence

Authority. The first, notable for the purposes of this thesis, is the explicit centering and elevation

of risk to the general audience: one of the very specific reasons for which the Authority was created

was to aid in strengthening the resilience of people to influence operations, recognising and

emphasising the importance of the human element and the individual to modern CCI and overall

security. As of writing, this remains the first instance of such an explicit threat elevation relevant

to the audience, in this author’s knowledge. In so elevating the risk to the audience, and engaging

in continuous risk management measures and practices, Sweden has become part of the vanguard

of states operating within or constructing CCI frameworks according to a threat elevation

calculation.

752 Peter Hultqvist, “Sweden’s Defense Minister: Additional Resources Are Coming to Bolster National Security, Alliances,” Defense News, January 11, 2021, https://www.defensenews.com/outlook/2021/01/11/swedens-defense-minister-additional-resources-are-coming-to-bolster-national-security-alliances/; The Local, “Sweden to Create New Authority Tasked with Countering Disinformation.” 753 Hofverberg, “Government Responses to Disinformation on Social Media Platforms”; Myndigheten för samhällsskydd och beredskap, “Om Krisen Eller Kriget Kommer (Whether the Crisis or War is Coming),” 5 - machine translation. 754 Hofverberg, “Government Responses to Disinformation on Social Media Platforms”; Government Offices of Sweden, “Kommittédirektiv - En ny myndighet för psykologiskt försvar (Committee Directive: A New Authority for Psychological Defence),” 5 - machine translation.


267

The second element is the creation of the Authority itself. The creation of a new government

agency is no simple or inexpensive feat. For the Swedish government, or any government, to invest

in a psychological defence agency, then that state’s strategic planners must be reasonably certain

that influence operations and disinformation campaigns will be a feature of the national and

international security landscape for a considerable time to come. While there are parallels in the

UK in terms of the agencies that have been stood up to deal with national security threats like

terrorism, and the variety of risks associated with cyberspace, there has been no equivalent agency

created in the UK that performs the explicit function of psychological defence. In this regard,

Sweden has not only more successfully elevated the threat to the audience posed by adversarial

disinformation campaigns and, in doing so, has contributed to the aggregate security of the state,

but then sought to counter that threat with a holistic and comprehensive CCI effort.

The efforts made by Sweden to counter adversary disinformation operations are, in large part,

generalisable to other states. It is possible — and recommended here — that states engage in

counter-disinformation operations and education. Standing up a new agency may not be necessary,

though it is certainly an option. Designating a specific body within the government that has the

mandate to engage in counter-disinformation operations would enhance the resilience of the state

and its citizens to adversary disinformation operations. This can be achieved by both active and

aggressive cyber counterintelligence on the part of that designated body, as well as the active

education of the polity as to the identification and dismissal of disinformation. Templates for both

the designated body, and the education campaigns, can be taken from Sweden. The justification

for this risk management measure can be accomplished through a comprehensive elevation of the

dangers posed by disinformation to the audience, their perception and subsequent behaviour, and

the adverse consequences of a democracy in which the integrity of information cannot be assured

and in which public trust in institutions has degraded. Sweden has a longer historical record of

counter-disinformation practices (and the information operations that forced their necessity) that

reduces the burden of proof for a successful elevation, but recent events globally provide an

evidentiary foundation upon which to base an elevation.

Conclusion: Elevating the Threat of Disinformation

Disinformation has the potential to be extremely damaging to the function and fundamental

concept of the modern liberal democracy. While the elevation of risks and threats to assets and

infrastructure has been successful in the UK and elsewhere, the risks and threats to the audience

that are enabled and transmitted through cyberspace remain unresolved and insufficiently elevated.


268

While there is no doubt that there are and will be ongoing threats to the assets and infrastructure

that underpin and feed the cyber structures upon which modern life has come to depend, it is also

true that greater attention needs to be paid to the democratic audience, to the individuals that both

produce that data and use those systems, and who are susceptible to disinformation that can affect

their current and future perceptions and behaviour. Counterintelligence requirements are evolving

in the cyber-enabled age, and states have both a larger remit for countermeasures and a greater

attack surface to protect, including the psychology of their citizens. The case study in chapter four

and the understanding of CCI developed throughout this thesis has identified that there is a state

responsibility to engage in counter-disinformation practices as a form of CCI in order to protect

information integrity and audience perception; identify, trace, and subvert adversary operations

designed to affect the same; and educate the audience on both the dangers of information warfare

and the methods with which they can engage in CCI such that they contribute to the overall cyber

security posture of the state.

Disinformation as a form of information warfare is not new, but it is increasingly easy to deploy

in the contemporary era, especially with the relatively unregulated nature of the massive social

media and communications platforms, though steps are being taken to introduce restrictions on

those enterprises.755 It is not only necessary to restrict the free movement and policy of these major

commercial actors, however. Disinformation is being utilised by both domestic and foreign actors

to pollute the information ecology of the voting public through a variety of media, and this is

affecting the perceptions those individuals have of not just actors and policies but of information

and the integrity of information producers. When trust is lost in public institutions such as the

media, and individuals within a democracy no longer have faith that the information which

legitimate authorities produce about topics of national and global concern (such as COVID-19, its

origins, and the vaccines being created to treat the virus), then the integrity of the democratic state

itself is called into question. If a voting public is making decisions based on demonstrably false

information, have those individuals in fact made a free and informed decision? If the individual

has cast a vote based on disinformation introduced to them by an adversarial actor with the intent

of manipulating their perception such that they vote for a candidate for whom they may otherwise

755 Daniel Funke and Daniela Flamini, “A Guide to Anti-Misinformation Actions around the World,” Poynter (blog), accessed May 22, 2021, https://www.poynter.org/ifcn/anti-misinformation-actions/; Reuters Staff, “Factbox: ‘Fake News’ Laws around the World,” Reuters, April 2, 2019, https://www.reuters.com/article/us-singapore-politics-fakenews-factbox-idUSKCN1RE0XN; Tomoko Nagasako, “Global Disinformation Campaigns and Legal Challenges,” International Cybersecurity Law Review 1, no. 1 (October 1, 2020): 125–36, https://doi.org/10.1365/s43439-020-00010-7; Scott Shackelford, “The Battle against Disinformation Is Global,” The Conversation, accessed May 22, 2021, http://theconversation.com/the-battle-against-disinformation-is-global-129212.


269

not have voted, has that person made their own decision? Or, given the (successful) attempt at

manipulation through disinformation, has a foreign actor indirectly or directly intervened in the

political sovereignty of the state in question? How is a state to avoid the crumbling of public faith

and trust in institutions? How can a state shore up the security and resilience of the audience to

foreign interference, as well as they have shored up the security and resilience of critical national

infrastructure?

One answer is CCI. This may be to identify the psychological defence of the audience as a critical

national interest; that is to say, an element of critical democratic infrastructure. The UK has failed

to recognise the audience as a critical security vulnerability, and so has not developed their concept

of CCI in such a manner that public education campaigns on the methods and practices would

allow individuals to increase their own security, and contribute to that of the state. Lessons could

here be taken from the Swedish approach; while they have an extensive history of responding to

Russian active measures campaigns, with further engagement, it would be possible to model public

campaigns around personal CCI practices on their awareness and critical thinking frameworks,

especially for the identification and dismissal of disinformation as individuals come across it. There

needs to be a significant investment in understanding and managing the risk to audience

psychology and belief systems in order for modern democracies to both be able to trust in the

infrastructure underpinning modern life, and also be able to trust that the decision-making and

behaviour of the audience is not being (adversely or overly) affected by external strategic narratives

imposed, at least in part, through the infiltration of disinformation that the audience is not capable

of detecting or dismissing out of hand. The risks to the audience of disinformation, and the

necessity of employing CCI measures from the individual through to the state level, need to be

elevated and acted upon as a matter of critical national interest and concern.

Chapter 7 - Conclusion

270

7 - Conclusion This thesis has evaluated the threat elevation of cyberspace in a modern democracy through an

analysis of the United Kingdom (UK), and assessed whether that perception has influenced the

evolution of cyber counterintelligence (CCI) as a response to cyber-enabled threats such as

disinformation. There were two secondary lines of research that contributed to this discussion.

The first was to identify or develop the theoretical framework through which an evolution in state

threat perception could be identified and analysed. That framework would then affect the

conclusions drawn from the subsequent line of research, being the identification and development

of CCI as a response to cyber-enabled threats. To limit the scope of the thesis I chose to examine

a particular security problem, being disinformation conducted via cyberspace, rather than attempt

a generalised analysis of the CCI response to any or all cyber-enabled threats.

This thesis makes a theoretical contribution to security studies and strategic analysis by articulating

and developing the threat elevation analysis framework, which informed the analysis conducted

throughout this research, and the conclusions reached herein. Threat elevation analysis was then

applied to an examination of the evolution of the threat perception of cyberspace in the UK. This

analysis was facilitated by the examination of national security documentation published by

successive British administrations in the period 2008-2018, contributing to the existing literature

on the national security of the UK. The subsequent chapters developed the concept and typology

of CCI in order to further the academic discourse and contribute to the nascent body of literature

in a relatively novel branch of intelligence and counterintelligence studies, and to illustrate the

assets vs. audiences dilemma that has typified the UK’s approach to the development of CCI,

particularly in relation to cyber-enabled disinformation.

Following an overview of existing literature across the fields of securitisation theories,

counterintelligence, and disinformation in chapter two, the third chapter of this thesis articulated

threat elevation analysis, a theoretical framework for ex post facto analysis that was developed

specifically for this research but was designed to be used broadly and in a variety of sectors beyond

cyberspace and counterintelligence. Threat elevation analysis is the framework through which

political concerns are transformed into risks through riskification, and risks then becoming threats

through securitisation. Threat elevation analysis is not intended to be prescriptive or proscriptive

but is designed to identify the stressors and developments that contribute to the risk and threat

perception of certain security issues. I found that while there have been several elevating events


271

that contributed to the overall increase in the threat perception of cyberspace, it is not yet justifiable

to state that cyberspace has been securitised. There has been no articulation of existential threat in

relation to a cyber-attack or exploitation, and no indication that democratic audiences would accept

an argument of that nature. What has, however, occurred, is the successful riskification of

cyberspace, and the deployment of risk management measures designed to reduce the overall

security risks associated with cyberspace, but do not justify the extraordinary powers of threat

mitigation.

In chapter four, I applied the theoretical lens of threat elevation analysis to the national security

documentation of the UK as a case study for the elevation of the threat perception of cyberspace.

I engaged in process tracing, examining a selection of national security documents from the UK

to ascertain the development of the threat perception of cyberspace, as well as the development

of CCI as a concept. In the period examined, my conclusion was that the UK had succeeded in

elevating the threat to infrastructure posed by cyberspace and cyber-enabled technologies but had

failed to engage in a holistic elevation by insufficiently recognising the threat to the democratic

audience of disinformation enabled by cyberspace technologies and communication platforms. In

addition, and potentially due to the sensitivities surrounding discussion of intelligence and

counterintelligence capabilities in a public forum, there was little overtly articulated information

surrounding the use or development of counterintelligence capacities specific to cyberspace. By

engaging in documentary analysis, I conclude that while the UK is engaged in strengthening CCI

skill and capability, there has been a split between assets and audiences that has resulted in an

unbalanced approach to cyber security and resilience, despite the overall increase in risk perception

of cyberspace. There is significant scope for future research on the British approach to CCI and

cyberspace security generally, particularly with the publication of the Integrated Review and

Defence Command Paper in March 2021.

Accepting as a starting point the definition of CCI examined in chapter two and in the context of

threat elevation analysis and a modern state’s approach to the threat elevation of cyberspace

(chapters three and four respectively), in chapter five I articulated and developed a dual-pronged

typology of CCI. I identified and defined passive, active, and proactive CCI, engaging in conceptual

development and providing case-use examples of each. I then identified and articulated strategic

and tactical understandings of CCI, engaging in further conceptual development, and providing

case-use examples. CCI practices and measures are not mutually exclusive, and some practices

straddle the line between passive and active, or active and proactive. There is also crossover


272

between tactical CCI and strategic CCI – there is considerable scope for further research in the

development of this typology, as well as an exploration of what CCI looks like beyond the UK (as

an example of a mature and connected democracy), in non-Anglo democracies, and indeed what

CCI looks like in non-democratic political systems. I also examined the groups of actors that are

most likely to engage in CCI, and those who should engage in CCI as a matter of ongoing personal

and national security and resilience. These informed both the subsequent chapter and my

conclusions on the assets vs. audiences dilemma identified in earlier sections.

Engaging with these results, in chapter six, I applied my findings to the rise of disinformation as a

form of foreign interference and a threat to democratic integrity. I articulated more specifically the

assets vs. audience schism, which describes the uneven and inefficient approach to CCI and overall

cyber security of the UK, and which can feasibly be generalised to overall approaches to

disinformation as a counterintelligence problem. I articulated the importance of acknowledging

and promoting the importance of the human element in CCI, and the dangers of disinformation

to audience beliefs, belief frameworks, and future behaviours in relation to democratic integrity.

Particularly in democracies like the UK and their close allies in the Five Eyes alliance and NATO

as well as the EU, it is crucial to recognise that the threat to domestic audiences of foreign

interference using disinformation as a vehicle of psychological manipulation is increasing.

Effective disinformation campaigns – and ineffective CCI – have the potential to destabilise

democratic institutions through degrading the integrity of information available to domestic

audiences, and reducing the capacity of individuals to access, believe in, and make informed

decisions based on verifiable information from trustworthy sources. Using an example of failed

elevation (COVID-19 disinformation), and successful elevation (Sweden’s approach to Russian

active measures), I demonstrate both the analytical integrity of the threat elevation analysis

framework and the importance of the human factor in a holistic approach to CCI, highlighting

some of the Swedish successful countermeasures that could be employed by democratic states

more broadly.

Developments in UK Threat Elevation: the 2021 Integrated Review and Defence Command Paper

It would be remiss not to address the two national security documents released by the UK in the

first quarter of 2021. While these documents fall outside the temporal bounds of the case study

presented in chapter four, a brief analysis of the documents will reveal whether there has been an

elevation of the threat of disinformation to audiences and democratic integrity in the intervening

three years between the end of the case study and the publication of these documents. “Global


273

Britain in a Competitive Age: The Integrated Review of Security, Defence, Development and

Foreign Policy” (hereafter “Integrated Review”) was released in tandem with “Defence in a

Competitive Age” (hereafter “Defence Command Paper”) in March 2021. At 111 pages and 69

pages respectively, they provide an update on the national security and defence posture of the UK.

It is apparent in the foreword of the Integrated Review that the disinformation campaigns of recent

history have impressed upon British decisionmakers the potential consequences of such

operations, with Prime Minister Boris Johnson articulating the necessity of defending “the integrity

of the nation against state threats, whether in the form of illicit finance or coercive economic

measures, disinformation, cyber-attacks, [or] electoral interference…”756 In perfect alignment with the

terminology and the threat perception elevation identified as necessary throughout this thesis, the

UK has overtly elevated the risks of disinformation. I note that, at least in this initial section, the

explicit association of these dangers are related to state action specifically. However, this is the

most explicit elevation of the threat of disinformation so far identified in the national security

documentation of the UK, and it aligns with the expectations of this research. Further to this

elevation is the introduction of the National Cyber Force, a further indication of the ongoing

elevation of the threat perception of cyberspace in the UK.757 Moreover, there is an explicit

recognition of the necessity, for the integrity of British democracy, to protect “the ability of the

British people to elect their political representatives democratically in line with their constitutional

traditions, and to do so free from coercion and manipulation.”758 This is a significant elevation from

previous national security documentation in relation to the recognition of the dangers of

manipulation of the democratic audience, even without an explicit reference to disinformation.

Further, the paragraph immediately following iterates the need to secure democratic institutions

as one of the interests identified by the government. While this does not yet demonstrate parity of

riskification with the long-acknowledged risks to assets, this is an overt riskification of dangers

posed to audiences.759

There is also an assertion of the intent to adopt a “comprehensive cyber security strategy…and

make much more integrated, creative and routine use of the UK’s full spectrum of levers –

including the National Cyber Force’s offensive tools – to detect, disrupt, and deter our

adversaries.”760 This is particularly interesting not only in terms of the threat elevation analysis and

756 Cabinet Office of the United Kingdom, “Global Britain in a Competitive Age,” 4, emphasis added. 757 Cabinet Office of the United Kingdom, 4. 758 Cabinet Office of the United Kingdom, 13, emphasis added. 759 There is no recognition of an existential threat to audiences, and so cannot be considered a securitising act. 760 Cabinet Office of the United Kingdom, 21.


274

the successful riskification of cyberspace by the UK, but in the relationship identified between the

detection and disruption of adversarial activities and the use of offensive cyber tools. I infer from

this an admission of the willingness to employ proactive CCI practices as deemed necessary for

the cyber resilience and security of the UK. The challenges to democratic governance posed by

disinformation, which necessitate the ongoing implementation of CCI at both state and individual

levels, is highlighted as a potential risk as disinformation sowed by malign actors has the potential

to undermine public trust in government.761 The Integrated Review elevates the threats to the

democratic audience posed by disinformation exactly according to the threat elevation analysis

framework offered in chapter three and employed throughout this thesis, verifying its analytical

accuracy and overall utility. Lacking an identification of existential risk, these elevating acts further

entrench the riskification, rather than securitisation, of danger to the audience.

The Defence Command Paper strikes many of the same notes as the Integrated Review in terms

of the recognition that the rapid pace of technological change has resulted in a rapidly changing

security environment. Particularly relevant to this thesis is the admission that

long established techniques of influence and leverage such as economic coercion, propaganda, intellectual property theft and espionage, have been supercharged by ubiquitous information and technological transformation.762

Between the Integrated Review and Defence Command Paper, the UK is making the clearest case

thus far for the riskification of cyberspace and the associated threat potential of disinformation as

a form of interference and coercion. The Defence Command Paper also connects that recognition

of the risk vector of cyberspace with the imposition of strategic narratives as discussed in chapter

six, considering the rise in security challenges and conflicts that do not rise to the threshold of

conflict and the importance of the ‘battle of narratives’ to future influence and the attainment of

security objectives.763

Perhaps the most eloquently articulated vindication of this research is contained within paragraph

2.7 of the Defence Command Paper, which states that

cyberspace threats will emanate from state, state-sponsored and criminal groups with personnel and capabilities moving seamlessly between them. As with other domains, cyberspace activity is often leveraged as part of a wider, coordinated and integrated attack. Cyberspace espionage can and will be used as part of

761 Cabinet Office of the United Kingdom, 27. 762 Ministry of Defence, “Defence in a Competitive Age” (The APS Group, 2021), 5, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/971859/_CP_411__-_Defence_in_a_competitive_age.pdf. 763 Ministry of Defence, 5.


275

wider influence and propaganda campaigns, as well as in support of wider hostile activity up to and including conventional warfare.764

In no uncertain terms, the Defence Command Paper both elevates the risk potential of cyberspace

and identifies the ongoing requirement for cyber counterintelligence as defined in this thesis.765

This also aligns with my view (articulated in chapter one) that while cyberspace activities can be

conducted in isolation from activities in the other domains of land, sea, air, and space, cyberspace

also functions as an overlay that connects and forms networks between and among the traditional

warfare domains. The integration of MOD, GCHQ and Secret Intelligence Service (SIS)

capabilities into the National Cyber Force is clear evidence for the growing importance of

cyberspace and cyber counterintelligence, given that its stated purpose is to “deceive, degrade,

deny, disrupt, or destroy targets in or through cyberspace in pursuit of our national security

objectives.”766 Straddling the line between proactive cyber counterintelligence and cyber warfare

(articulated as a possibility in chapter five), the UK has identified the need for further elevation of

CCI capabilities and produced policy intended to ensure those capabilities to enable the resilience

and security of the state.

Directions for future research

There are multiple avenues for further research based on the theoretical and conceptual

developments offered in this thesis, and the findings of the case study and problem analysis. I will

offer several immediate options for further research, but this is not an exhaustive list and there

remains significant space for development. In terms of threat elevation analysis, there was not

sufficient scope to engage fully with the threat attenuation process, and this deserves further

development and testing. There is also significant potential to further apply the threat elevation

framework in alternate security sectors (non-cyber sectors), and against problems unrelated to the

field of CCI. Further, I suggest that engaging with CCI in relation to both disinformation and more

traditional security risks and threats would strengthen the concepts laid out in this thesis and

contribute to the nascent body of literature in the field. There was no scope in this thesis to

consider the ethical and moral elements of CCI as utilised by all actors identified in chapter five,

and there is considerable room for application and development here. Finally, there are

opportunities for further analysis on the development of British approaches to audience threat and

vulnerability in light of the Integrated Review and Defence Command Paper.

764 Ministry of Defence, 10. 765 Cyber counterintelligence is examined in depth in chapter five. 766 Ministry of Defence, “Defence in a Competitive Age,” 44.


276

Closing thoughts

In a rapidly changing and fast-evolving security environment, the resilience and security of the

state is increasingly hard to ensure with the sole power of a representative government. While the

responsibility for overall national security falls to the sovereign state, some of the responsibility

for security in cyberspace should fall to the individual, who, in engaging with CCI for their own

purposes also contributes to the aggregate security of the state. However, in racing to secure assets

– data, infrastructure, and systems – from attack and exploitation in cyberspace, states have failed

to adequately recognise and elevate the threat to their audiences – the democratic public – of

malign disinformation operations that are undertaken through and enabled by cyberspace

technologies. To engage with CCI in an efficient and effective way, states need to bridge the assets

vs. audiences divide and appropriately elevate the threat to both pillars of modern democracy. It

is important to note that while states have not fully engaged in adequate threat elevation of

audience vulnerability, based on the case study of the UK and the brief analysis of recent

development presented above, we are moving in the right direction. The audience as a vulnerability

and a threat vector is being elevated, being riskified, and management measures are being designed

and enacted to increase the resilience and security of democracies in the cyber era. This thesis has

offered an analytical framework and the conceptual development of CCI and applied these to a

state case and a specific national security concern. It is my hope that the contributions made in

this thesis and the conclusions drawn from the resulting analysis will aid in progress toward greater

resilience and security in cyberspace, the further development of the field of cyber

counterintelligence and the ongoing democratic integrity project.


277

Bibliography 350.org. “350.Org: A Global Campaign to Confront the Climate Crisis.” 350.org, 2021.

https://350.org. Abdulla, Hisham. “Locutionary, Illocutionary and Perlocutionary Acts Between Modern

Linguistics and Traditional Arabic Linguistics.” Al-Mustansiriya Literary 55 (2012): 59–76. Alexander, Christian. “A Year After ‘Day Zero,’ Cape Town’s Drought Is Over, But Water

Challenges Remain.” Bloomberg.Com, April 12, 2019. https://www.bloomberg.com/news/articles/2019-04-12/looking-back-on-cape-town-s-drought-and-day-zero.

Allan, Collin S. “Attribution Issues in Cyberspace.” Chicago-Kent Journal of International and Comparative Law 13, no. 2 (2013 2012): 55–83.

Allhoff, Fritz, and Adam Henschke. “The Internet of Things: Foundational Ethical Issues.” Internet of Things 1–2 (September 2018): 55–66. https://doi.org/10.1016/j.iot.2018.08.005.

Amer, Karim, and Jehane Noujaim. The Great Hack. Documentary, 2019. https://www.netflix.com/au/title/80117542.

American Society of International Law. “Beyond National Jurisdiction: Cyberspace.” American Society of International Law, 2017. /topics/signaturetopics/BNJ/cyberspace.

Anderson, Janna, and Lee Rainie. “The Future of Truth and Misinformation Online.” Pew Research Center, October 19, 2017. https://www.pewresearch.org/internet/2017/10/19/the-future-of-truth-and-misinformation-online/.

Anderson, Nate. “Confirmed: US and Israel Created Stuxnet, Lost Control of It.” Ars Technica, June 1, 2012. https://arstechnica.com/tech-policy/2012/06/confirmed-us-israel-created-stuxnet-lost-control-of-it/.

Andress, Jason, and Steve Winterfeld. Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners. Waltham: Elsevier, 2011.

Andrews, Christopher. The Secret World: A History of Intelligence. New York: Penguin Books, 2019. https://www.penguin.com.au/books/the-secret-world-9780140285321.

Angwin, Julia. Dragnet Nation: A Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance. New York: Henry Holt and Company, 2014.

Aral, Sinan, and Dean Eckles. “Protecting Elections from Social Media Manipulation.” Science 365, no. 6456 (August 30, 2019): 858–61. https://doi.org/10.1126/science.aaw8243.

Archetti, Christina. “Terrorism, Communication and New Media: Explaining Radicalization in the Digital Age.” Perspectives on Terrorism 9, no. 1 (2015): 49–59.

Arrigo, Bruce A. The SAGE Encyclopedia of Surveillance, Security, and Privacy. Vol. 3. SAGE Publications, 2016.

Associated Press. “Colonial Pipeline Confirms It Paid $4.4m Ransom to Hacker Gang after Attack.” the Guardian, May 20, 2021. http://www.theguardian.com/technology/2021/may/19/colonial-pipeline-cyber-attack-ransom.

Aubrey, Sophie. “The Curious Marriage of QAnon and Wellness.” The Sydney Morning Herald, September 26, 2020. https://www.smh.com.au/lifestyle/health-and-wellness/playing-with-fire-the-curious-marriage-of-qanon-and-wellness-20200924-p55yu7.html.

Austin, Erica Weintraub, and Porismita Borah. “How to Talk to Vaccine Skeptics so They Might Actually Hear You.” The Conversation, 2020. http://theconversation.com/how-to-talk-to-vaccine-skeptics-so-they-might-actually-hear-you-143794.

Austin, J. L. How to Do Things with Words. 2nd ed. London: Oxford University Press, 1980. Australian Cyber Security Centre. “Dark Web.” Australian Cyber Security Centre, 2021.

https://www.cyber.gov.au/acsc/view-all-content/glossary/dark-web. ———. “In the Wild.” Australian Signals Directorate | Australian Cyber Security Centre, 2021.

https://www.cyber.gov.au/acsc/view-all-content/glossary/wild.

Bibliography

278

———. “Script Kiddie.” Australian Signals Directorate | Australian Cyber Security Centre, 2021. https://www.cyber.gov.au/acsc/view-all-content/glossary/script-kiddie.

———. “The Commonwealth Cyber Security Posture in 2019.” Australian Signals Directorate | Australian Cyber Security Centre, 2019. https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/commonwealth-cyber-security-posture-2019.

Awan, Imran. “Cyber-Extremism: Isis and the Power of Social Media.” Society 54, no. 2 (April 1, 2017): 138–49. https://doi.org/10.1007/s12115-017-0114-0.

Bacevich, Andrew. “Endless War in the Middle East.” Cato Institute, June 13, 2016. https://www.cato.org/catos-letter/endless-war-middle-east.

Bagaric, Mirko. “High Court Likely to ‘Free’ Covid’s Political Prisoners.” The Weekend Australian, September 22, 2020. https://www.theaustralian.com.au/commentary/high-court-likely-to-free-covids-political-prisoners/news-story/68b63c9c4fe6a7bb78a0cba04ff294e5.

Balzacq, Thierry. “A Theory of Securitization: Origins, Core Assumptions, and Variants.” In Securitization Theory: How Security Problems Emerge and Dissolve, 1–30. PRIO, New Security Studies. New York: Routledge, 2011.

———. “Legitimacy and the ‘Logic’ of Security.” In Contesting Security: Strategies and Logics, 1–10. PRIO New Security Studies. New York: Routledge, 2015.

———. “Securitization Theory: Past, Present, and Future.” Polity 51, no. 2 (April 2019): 331–48. https://doi.org/10.1086/701884.

———. “The ‘Essence’ of Securitization: Theory, Ideal Type, and a Sociological Science of Security.” International Relations 29, no. 1 (March 1, 2015): 103–13. https://doi.org/10.1177/0047117814526606b.

———. “The Three Faces of Securitization: Political Agency, Audience and Context.” European Journal of International Relations 11, no. 2 (June 1, 2005): 171–201. https://doi.org/10.1177/1354066105052960.

Balzacq, Thierry, Sarah Léonard, and Jan Ruzicka. “‘Securitization’ Revisited: Theory and Cases.” International Relations 30, no. 4 (December 1, 2016): 494–531. https://doi.org/10.1177/0047117815596590.

Barnett, Jon. The Meaning of Environmental Security: Ecological Politics and Policy in the New Security Era. London: Zed Books, 2001.

Barrett, Brian. “DNC Lawsuit Against Russia Reveals New Details About 2016 Hack.” Wired, April 20, 2018. https://www.wired.com/story/dnc-lawsuit-reveals-key-details-2016-hack/.

BBC. “Cyber Attacks Blamed on China.” BBC News, January 31, 2013, sec. China. https://www.bbc.com/news/world-asia-china-21272613.

BBC News. “Manchester Arena Blast: 19 Dead and More than 50 Hurt.” BBC News, May 23, 2017, sec. Manchester. https://www.bbc.com/news/uk-england-manchester-40007886.

———. “Parsons Green: Underground Blast a Terror Incident, Say Police.” BBC News, September 15, 2017, sec. UK. https://www.bbc.com/news/uk-41278545.

———. “Sony Pays up to $8m over Employees’ Hacked Data.” BBC News, October 21, 2015, sec. Business. https://www.bbc.com/news/business-34589710.

Beauchemin, Molly. “17 Celebrities Who Actively Work to Protect the Environment.” Garden Collage Magazine, November 8, 2017. https://gardencollage.com/change/climate-change/celebrities-care-environment-want-know/.

Belinchón, Fernando, and Qayyah Moynihan. “25 Giant Companies That Earn More Than Entire Countries.” Business Insider, July 25, 2018. https://www.businessinsider.com/25-giant-companies-that-earn-more-than-entire-countries-2018-7?r=AU&IR=T.

Bellingcat. “MH17.” Bellingcat, 2021. https://www.bellingcat.com/tag/mh17/. Bender, Jeremy. “FBI: A Chinese Hacker Stole Massive Amounts Of Intel On 32 US Military

Projects.” Business Insider Australia, July 17, 2014. https://www.businessinsider.com.au/chinese-hackers-stole-f-35-data-2014-7.


279

Benthem van den Bergh, Godfried van. “The Taming of the Great Nuclear Powers.” Policy Outlook. Carnegie Endowment for International Peace, 2009.

Beran, Dale. “The Return of Anonymous.” The Atlantic, August 11, 2020. https://www.theatlantic.com/technology/archive/2020/08/hacker-group-anonymous-returns/615058/.

Bergin, Tom, and Nathan Layne. “Special Report: Cyber Thieves Exploit Banks’ Faith in SWIFT Transfer Network.” Reuters, May 20, 2016. https://www.reuters.com/article/us-cyber-heist-swift-specialreport-idUSKCN0YB0DD.

Berreby, David. “Click to Agree with What? No One Reads Terms of Service, Studies Confirm.” The Guardian, March 4, 2017. https://www.theguardian.com/technology/2017/mar/03/terms-of-service-online-contracts-fine-print.

Berzina, Kristine. “Sweden — Preparing for the Wolf, Not Crying Wolf: Anticipating and Tracking Influence Operations in Advance of Sweden’s 2018 General Elections.” The German Marshall Fund of the United States, September 7, 2018. https://www.gmfus.org/blog/2018/09/07/sweden-preparing-wolf-not-crying-wolf-anticipating-and-tracking-influence.

Bessi, Alessandro, and Emilio Ferrara. “Social Bots Distort the 2016 U.S. Presidential Election Online Discussion.” First Monday 21, no. 11 (November 3, 2016). https://doi.org/10.5210/fm.v21i11.7090.

Bhargava, Rishi. “Human Error, We Meet Again.” Security Magazine, December 6, 2018. https://www.securitymagazine.com/articles/89664-human-error-we-meet-again?v=preview.

Bickert, Monika, and Brian Fishman. “Hard Questions: How Effective Is Technology in Keeping Terrorists off Facebook?” About Facebook (blog), April 23, 2018. https://about.fb.com/news/2018/04/keeping-terrorists-off-facebook/.

Bisson, David. “‘123456’ Remains the World’s Most Breached Password.” Security Boulevard, April 22, 2019. https://securityboulevard.com/2019/04/123456-remains-the-worlds-most-breached-password/.

Biswas, Niloy. “Is the Environment a Security Threat? Environmental Security beyond Securitization.” International Affairs Review 20, no. 1 (2011): 1–22.

Blair, Tony. “Full Text of Tony Blair’s Speech to Parliament.” The Guardian, October 4, 2001. http://www.theguardian.com/world/2001/oct/04/september11.usa3.

Booth, Ken. “Security and Emancipation.” Review of International Studies 17, no. 4 (1991): 313–26. Borgesius, Frederik J. Zuiderveen, Judith Möller, Sanne Kruikemeier, Ronan Ó Fathaigh, Kristina

Irion, Tom Dobber, Balazs Bodo, and Claes de Vreese. “Online Political Microtargeting: Promises and Threats for Democracy.” Utrecht Law Review 14, no. 1 (February 9, 2018): 82–96. https://doi.org/10.18352/ulr.420.

Boudana, Sandrine. “A Definition of Journalistic Objectivity as a Performance.” Media, Culture & Society 33, no. 3 (April 1, 2011): 385–98. https://doi.org/10.1177/0163443710394899.

Boulding, Kenneth. The Image: Knowledge in Life and Society. Ann Arbor: University of Michigan Press, 1956. https://www.press.umich.edu/6607/image.

Bowden, Mark. Worm: The First Digital World War. Atlantic Books Ltd, 2012. Boyle, Danny, Chris Graham, and David Millward. “Finsbury Park Mosque Attack Latest: Theresa

May Vows Hatred and Evil Will Never Succeed as Labour Warns of Rise in Islamophobia.” Accessed May 15, 2021. https://web.archive.org/web/20170621045319/https://www.telegraph.co.uk/news/2017/06/19/finsbury-park-mosque-latest-terror-attack-london-live/.

Braddock, Kurt, and John Horgan. “Towards a Guide for Constructing and Disseminating Counternarratives to Reduce Support for Terrorism.” Studies in Conflict & Terrorism 39, no. 5 (May 3, 2016): 381–404. https://doi.org/10.1080/1057610X.2015.1116277.

Bibliography

280

Bradshaw, Samantha, and Philip N. Howard. “The Global Disinformation Order: 2019 Global Inventory of Organised Social Media Manipulation.” Oxford: University of Oxford Computational Propaganda Research Project, 2019. https://demtech.oii.ox.ac.uk/wp-content/uploads/sites/93/2019/09/CyberTroop-Report19.pdf?utm_source=newsletter&utm_medium=email&utm_campaign=timestop10_daily_newsletter.

Brandom, Russell. “UK Hospitals Hit with Massive Ransomware Attack - The Verge.” The Verge, May 12, 2017. https://www.theverge.com/2017/5/12/15630354/nhs-hospitals-ransomware-hack-wannacry-bitcoin.

Brechenmacher, Saskia. “Comparing Democratic Distress in the United States and Europe.” Washington, DC: Carnegie Endowment for International Peace, 2018.

Brooks, Arthur C. “Opinion | Conspiracy Theories Are a Dangerous Threat to Our Democracy.” Washington Post, September 3, 2019. https://www.washingtonpost.com/opinions/2019/09/03/conspiracy-theories-are-dangerous-threat-our-democracy/.

Brunnstrom, David, and Jim Finkle. “U.S. Considers ‘proportional’ Response to Sony Hacking Attack | Reuters.” Reuters, December 19, 2014. https://www.reuters.com/article/us-sony-cybersecurity-northkorea-idUSKBN0JW24Z20141218.

Buente, Wane, and Chamil Rathnayake. “#WeAreMaunaKea: Celebrity Involvement in a Protest Movement.” In IConference 2016 Proceedings. Philadelphia, USA: iSchools, 2016. https://doi.org/10.9776/16311.

Bumiller, Elisabeth, and Thom Shanker. “Panetta Warns of Dire Threat of Cyberattack on U.S.” The New York Times, October 12, 2012, sec. World. https://www.nytimes.com/2012/10/12/world/panetta-warns-of-dire-threat-of-cyberattack.html.

Burki, Talha. “Vaccine Misinformation and Social Media.” The Lancet Digital Health 1, no. 6 (October 1, 2019): e258–59. https://doi.org/10.1016/S2589-7500(19)30136-0.

Burt, Tom. “New Action to Combat Ransomware Ahead of U.S. Elections.” Microsoft On the Issues, October 12, 2020. https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/.

Burton, Bob. Inside Spin : The Dark Underbelly of the PR Industry. Crows Nest: Allen & Unwin, 2007. https://research.usc.edu.au/discovery/fulldisplay/alma999899902621/61USC_INST:ResearchRepository.

Bush, George W. “President Bush Addresses the Nation.” Washington post, September 20, 2001. https://www.washingtonpost.com/wp-srv/nation/specials/attacked/transcripts/bushaddress_092001.html.

Bussolati, Nicolò. “The Rise of Non-State Actors in Cyberwarfare.” In Cyberwar: Law and Ethics for Virtual Conflicts, edited by Jens David Ohlin, Kevin Govern, and Claire Finkelstein, 102–26. New York: Oxford University Press, 2015. https://doi.org/10.1093/acprof:oso/9780198717492.003.0007.

Buzan, Barry. People, States, and Fear: An Agenda for International Security Studies in the Post-Cold War Era. New York: Prentice Hall, 1991.

———. “Regional Security Complex Theory in the Post-Cold War World.” In Theories of New Regionalism: A Palgrave Reader, edited by Fredrik Söderbaum and Timothy M. Shaw, 140–59. International Political Economy Series. London: Palgrave Macmillan UK, 2003. https://doi.org/10.1057/9781403938794_8.

———. “The Logic of Regional Security in the Post-Cold War World.” In The New Regionalism and the Future of Security and Development: Volume 4, edited by Björn Hettne, András Inotai, and Osvaldo Sunkel, 1–25. The New Regionalism. London: Palgrave Macmillan UK, 2000. https://doi.org/10.1007/978-1-137-11498-3_1.


281

Buzan, Barry, Charles Jones, and Richard Little. The Logic of Anarchy: Neorealism to Structural Realism. New York: Columbia University Press, 1993.

Buzan, Barry, Ole Waever, and Jaap de Wilde. Security: A New Framework for Analysis. Boulder: Lynne Rienner Publishers, Inc, 1998.

Bytwerk, Randall L. “Believing in ‘Inner Truth’: The Protocols of the Elders of Zion in Nazi Propaganda, 1933–1945.” Holocaust and Genocide Studies 29, no. 2 (2015): 212–29.

Cabinet Office of the United Kingdom. “A Strong Britain in an Age of Uncertainty: The National Security Strategy.” The Stationery Office, 2010. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/61936/national-security-strategy.pdf.

———. “Cyber Security Strategy of the United Kingdom: Safety, Security and Resilience in Cyber Space.” The Stationery Office, 2009. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/228841/7642.pdf.

———. “Global Britain in a Competitive Age: The Integrated Review of Security, Defence, Development and Foreign Policy.” The APS Group, 2021. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/975077/Global_Britain_in_a_Competitive_Age-_the_Integrated_Review_of_Security__Defence__Development_and_Foreign_Policy.pdf.

———. “National Cyber Security Strategy 2016-2021.” The Stationery Office, 2016. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/567242/national_cyber_security_strategy_2016.pdf.

———. “National Security Capability Review.” The Stationery Office, 2018. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/705347/6.4391_CO_National-Security-Review_web.pdf.

———. “National Security Strategy and Strategic Defence and Security Review 2015: A Secure and Prosperous United Kingdom,” 2015. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/555607/2015_Strategic_Defence_and_Security_Review.pdf.

———. “Securing Britain in an Age of Uncertainty: The Strategic Defence and Security Review.” The Stationery Office, 2010. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/62482/strategic-defence-security-review.pdf.

———. “The National Security Strategy of the United Kingdom: Security in an Interdependent World.” The Stationery Office, 2008. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/228539/7291.pdf.

———. “The National Security Strategy of the United Kingdom: Update 2009.” The Stationery Office, 2009. http://www.cabinetoffice.gov.uk/media/216734/nss2009v2.pdf.

———. “The UK Cyber Security Strategy: Protecting and Promoting the UK in a Digital World.” The Stationery Office, 2011. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/60961/uk-cyber-security-strategy-final.pdf.

Cahill, Petra. “Cheney Says Russian Meddling in U.S. Election Possibly an ‘Act of War.’” NBC News, March 29, 2017. https://www.nbcnews.com/politics/white-house/dick-cheney-russian-election-interference-could-be-seen-act-war-n739391.

Cakebread, Caroline. “You’re Not Alone, No One Reads Terms of Service Agreements.” Business Insider Australia, November 15, 2017. https://www.businessinsider.com.au/deloitte-study-91-percent-agree-terms-of-service-without-reading-2017-11.

Bibliography

282

Cambridge Analytica. “CA Political,” July 2, 2017. https://web.archive.org/web/20170702090555/https://ca-political.com/.

Cambridge Analytica - The Power of Big Data and Psychographics. Concordia, 2016. https://www.youtube.com/watch?v=n8Dd5aVXLC.

Carera, Gordon. Intercept: The Secret History of Computers and Spies. London: Weidenfeld & Nicolson, 2015.

Carr, Austin. “When Jack Dorsey’s Fight Against Twitter Trolls Got Personal.” Fast Company, April 9, 2018. https://www.fastcompany.com/40549979/when-jack-dorseys-fight-against-twitter-trolls-got-personal.

CB Insights. “What Are Psychographics?” CB Insights Research, May 6, 2020. https://www.cbinsights.com/research/what-is-psychographics/.

CBS News. “UK Police: 22 Confirmed Dead after Terror Incident at Ariana Grande Concert.” CBS News, May 23, 2017. https://www.cbsnews.com/news/ariana-grande-concert-manchester-arena-explosion/.

Center for Strategic and International Studies. “Global Cyber Strategies Index.” Center for Strategic and International Studies, 2021. https://www.csis.org/programs/strategic-technologies-program/cybersecurity-and-governance/global-cyber-strategies-index.

Centers for Disease Control and Prevention. “Autism and Vaccines | Vaccine Safety | CDC.” Autism and Vaccines, January 26, 2021. https://www.cdc.gov/vaccinesafety/concerns/autism.html.

Centre for the Protection of National Infrastructure. “Centre for the Protection of National Infrastructure | CPNI.” Centre for the Protection of National Infrastructure | CPNI, 2021. https://www.cpni.gov.uk/.

Cerf, Vint. “A Brief History of the Internet & Related Networks.” Internet Society (blog), 2021. https://www.internetsociety.org/internet/history-internet/brief-history-internet-related-networks/.

Cha, Bonnie. “Too Embarrassed to Ask: What Is ‘The Cloud’ and How Does It Work?” Vox, April 30, 2015. https://www.vox.com/2015/4/30/11562024/too-embarrassed-to-ask-what-is-the-cloud-and-how-does-it-work.

Chabinsky, Steven, and F. Paul Pittman. “Data Protection 2020 | Laws and Regulations | USA.” International Comparative Legal Guides, 2020. https://iclg.com/practice-areas/data-protection-laws-and-regulations/usa.

Chatterjee, Partha. “The Classical Balance of Power Theory.” Journal of Peace Research 9, no. 1 (1972): 51–61.

Chirac, Jacques. “Allocution de M. Jacques Chirac, Président de la République, sur les attentats terroristes à New York et à Washington, la solidarité de la France avec les Etats-Unis et la coopération de la France dans la lutte contre le terrorisme, Washington, le 19 septembre 2001.” elysee.fr, September 19, 2001. https://www.elysee.fr/jacques-chirac/2001/09/19/allocution-de-m-jacques-chirac-president-de-la-republique-sur-les-attentats-terroristes-a-new-york-et-a-washington-la-solidarite-de-la-france-avec-les-etats-unis-et-la-cooperation-de-la-france-dans-la-lutte-contre-le-terrorisme-washington-le-19-sep.

———. “Lettre de M. Jacques Chirac, Président de la République, adressée à M. George Walker Bush , Président des Etats-Unis d’Amérique, à la suite des attentats ayant frappé les villes de New York et Washington, Paris le 11 septembre 2001.” elysee.fr, September 11, 2001. https://www.elysee.fr/jacques-chirac/2001/09/11/lettre-de-m-jacques-chirac-president-de-la-republique-adressee-a-m-george-walker-bush-president-des-etats-unis-damerique-a-la-suite-des-attentats-ayant-frappe-les-villes-de-new-york-et-washington-paris-le-11-septembre-2001.


283

Choi, Kyung-shick, Claire Seungeun Lee, and Robert Cadigan. “Spreading Propaganda in Cyberspace: Comparing Cyber-Resource Usage of Al Qaeda and ISIS.” International Journal of Cybersecurity Intelligence and Cybercrime 1, no. 1 (2018): 21–39.

Cimpanu, Catalin. “FireEye, One of the World’s Largest Security Firms, Discloses Security Breach.” ZDNet, December 8, 2020. https://www.zdnet.com/article/fireeye-one-of-the-worlds-largest-security-firms-discloses-security-breach/.

Ciutǎ, Felix. “Security and the Problem of Context: A Hermeneutical Critique of Securitisation Theory.” Review of International Studies 35, no. 2 (2009): 301–26.

Clark, David D., and Susan Landau. “Untangling Attribution.” In Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy, 25–40. Washington, D.C.: National Research Council of the National Academies, 2010. https://doi.org/10.17226/12997.

Clarke, Richard A., and Robert Knake. Cyber War: The Next Threat To National Security and What to Do About It. New York: HarperCollins, 2012. https://www.harpercollins.com/products/cyber-war-richard-a-clarkerobert-knake.

Cloudflare. “What Is the Cloud? | Cloud Definition.” Cloudflare. Accessed June 19, 2021. https://www.cloudflare.com/learning/cloud/what-is-the-cloud/.

CNN Editorial Research. “2016 Presidential Campaign Hacking Fast Facts.” CNN, October 28, 2020. https://www.cnn.com/2016/12/26/us/2016-presidential-campaign-hacking-fast-facts/index.html.

Cohen, Jeremy. “Cell Tower Vandals and Re-Open Protestors — Why Some People Believe in Coronavirus Conspiracies.” The Conversation, May 22, 2020. http://theconversation.com/cell-tower-vandals-and-re-open-protestors-why-some-people-believe-in-coronavirus-conspiracies-138192.

Colby, Elbridge. “The Role of Nuclear Weapons in the U.S.-Russian Relationship.” Carnegie Endowment for International Peace, 2016. https://carnegieendowment.org/2016/02/26/role-of-nuclear-weapons-in-u.s.-russian-relationship-pub-62901.

Collier, David. “Understanding Process Tracing.” PS: Political Science & Politics 44, no. 4 (October 2011): 823–30. https://doi.org/10.1017/S1049096511001429.

Colombani, Jean-marie. “Nous sommes tous Américains.” Le Monde.fr, September 13, 2001. https://www.lemonde.fr/idees/article/2011/09/09/nous-sommes-tous-americains_1569503_3232.html.

Committee on Energy and Commerce. Cyber Espionage and the Theft of U.S. Intellelectual Property and Technology, Pub. L. No. 113–67, § Committee on Energy and Commerce (2013). https://www.govinfo.gov/content/pkg/CHRG-113hhrg86391/html/CHRG-113hhrg86391.htm.

Conley, Heather A., and Jean-Baptiste Jeangene Vilmer. “Successfully Countering Russian Electoral Interference.” Center for Strategic & International Studies, June 21, 2018. https://www.csis.org/analysis/successfully-countering-russian-electoral-interference.

Conte, Alex. Security in the 21st Century : The United Nations, Afghanistan and Iraq. New York: Routledge, 2006. https://doi.org/10.4324/9781351149563.

Conway, Maura, Moign Khawaja, Suraj Lakhani, Jeremy Reffin, Andrew Robertson, and David Weir. “Disrupting Daesh: Measuring Takedown of Online Terrorist Material and Its Impacts.” Studies in Conflict & Terrorism 42, no. 1–2 (February 1, 2019): 141–60. https://doi.org/10.1080/1057610X.2018.1513984.

Cook, James, and Joseph Archer. “Telegraph Investigation: Google Search Exposes Sensitive Files and Emails from inside the Government and the NHS.” The Telegraph, April 18, 2020. https://web.archive.org/web/20200418181314/https://www.telegraph.co.uk/technology/2018/07/21/telegraph-investigation-google-search-exposes-sensitive-government/.

Bibliography

284

Cook, John, and Stephan Lewandowsky. “Coronavirus Conspiracy Theories Are Dangerous – Here’s How to Stop Them Spreading.” The Conversation, April 20, 2020. http://theconversation.com/coronavirus-conspiracy-theories-are-dangerous-heres-how-to-stop-them-spreading-136564.

Cooper, Sam. “Coronavirus Conspiracies Pushed by Russia, Amplified by Chinese Officials: Experts.” Global News, April 28, 2020. https://globalnews.ca/news/6793733/coronavirus-conspiracy-theories-russia-china/.

Corderoy, Amy. “Vaccine Expert Julie Leask Says Internet Outrage about Vaccination Risks Make Problem Worse.” The Sydney Morning Herald, March 30, 2015. https://www.smh.com.au/national/nsw/vaccine-expert-julie-leask-says-internet-outrage-about-vaccination-risks-make-problem-worse-20150330-1mb3gp.html.

Cordesman, Anthony H. “America’s Failed Strategy in the Middle East: Losing Iraq and the Gulf,” 2020. https://www.csis.org/analysis/americas-failed-strategy-middle-east-losing-iraq-and-gulf.

Corporate Finance Institute. “Flash Crashes - Overview, Causes, and Past Examples.” Corporate Finance Institute, 2021. https://corporatefinanceinstitute.com/resources/knowledge/finance/flash-crashes/.

Corry, Olaf. “Securitisation and ‘Riskification’: Second-Order Security and the Politics of Climate Change.” Millennium: Journal of International Studies 40, no. 2 (January 2012): 235–58. https://doi.org/10.1177/0305829811419444.

Cossins, Daniel. “Discriminating Algorithms: 5 Times AI Showed Prejudice.” New Scientist, April 27, 2018. https://www.newscientist.com/article/2166207-discriminating-algorithms-5-times-ai-showed-prejudice/.

Council of Europe. “Chart of Signatures and Ratifications of Treaty 185.” Treaty Office, November 4, 2021. https://www.coe.int/en/web/conventions/full-list.

———. “Council of Europe Counter-Terrorism Strategy 2018-2022.” Council of Europe | Committee of Ministers, 2018. https://search.coe.int/cm/Pages/result_details.aspx?ObjectId=09000016808afc96.

———. “Country Profiles on Counter-Terrorism Capacity.” Council of Europe | Counter-terrorism, 2021. https://www.coe.int/en/web/counter-terrorism/country-profiles.

Council on Foreign Relations. “Greece’s Debt Crisis Timeline.” Council on Foreign Relations, 2021. https://www.cfr.org/timeline/greeces-debt-crisis-timeline.

Craig, Geoffrey. “Celebrities and Environmental Activism.” In Media, Sustainability and Everyday Life, by Geoffrey Craig, 135–63. Palgrave Studies in Media and Environmental Communication. London: Palgrave Macmillan UK, 2019. https://doi.org/10.1057/978-1-137-53469-9_6.

Crowdstrike. “Our Work with the DNC: Setting the Record Straight.” Crowdstrike (blog), June 5, 2020. https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/.

———. “What Is a Zero-Day Attack? | CrowdStrike.” crowdstrike.com, 2021. https://www.crowdstrike.com/cybersecurity-101/zero-day-exploit/.

Cull, Nicholas J., Vasily Gatov, Peter Pomerantsev, Anne Applebaum, and Alistair Shawcross. “Soviet Subversion, Disinformation and Propaganda: How the West Fought Against It - An Analytic History, with Lessons for the Present.” LSE Consulting. London: LSE Institute of Global Affairs, 2017. https://www.lse.ac.uk/iga/assets/documents/arena/2018/Jigsaw-Soviet-Subversion-Disinformation-and-Propaganda-Final-Report.pdf.

Cunliffe, Emma, and Luigi Curini. “ISIS and Heritage Destruction: A Sentiment Analysis.” Antiquity 92, no. 364 (August 2018): 1094–1111. https://doi.org/10.15184/aqy.2018.134.

Curry, Andrew. “Here Are the Ancient Sites ISIS Has Damaged and Destroyed.” National Geographic, September 1, 2015.


285

https://www.nationalgeographic.com/history/article/150901-isis-destruction-looting-ancient-sites-iraq-syria-archaeology.

Cushman Jr, John H., and Thom Shanker. “A Nation at War: Combat Technology - A War Like No Other Uses New 21st-Century Methods To Disable Enemy Forces.” The New York Times, April 10, 2003, sec. U.S. https://www.nytimes.com/2003/04/10/us/nation-war-combat-technology-war-like-no-other-uses-new-21st-century-methods.html.

Czosseck, C., Rain Ottis, and Anna-Maria Talihärm. “Estonia after the 2007 Cyber Attacks: Legal, Strategic and Organisational Changes in Cyber Security.” International Journal of Cyber Warfare and Terrorism 1 (2011): 24–34. https://doi.org/10.4018/ijcwt.2011010103.

Dahan, Michael. “Hacking for the Homeland: Patriotic Hackers Versus Hacktivists.” In Proceedings of the 8th International Conference on Information Warfare and Security: ICIW 2013, edited by Doug Hart. Denver: Academic Conferences Limited, 2013.

Dalaqua, Renata H. “‘Securing Our Survival (SOS)’: Non-State Actors and the Campaign for a Nuclear Weapons Convention through the Prism of Securitisation Theory.” Brazilian Political Science Review 7, no. 3 (2013): 90-117,167-168.

Davies, Harry. “Ted Cruz Campaign Using Firm That Harvested Data on Millions of Unwitting Facebook Users.” the Guardian, December 11, 2015. http://www.theguardian.com/us-news/2015/dec/11/senator-ted-cruz-president-campaign-facebook-user-data.

Davis, Joshua. “Hackers Take Down the Most Wired Country in Europe.” Wired, August 21, 2007. https://www.wired.com/2007/08/ff-estonia/.

Dearden, Lizzie, and May Bulman. “Isis Claims Responsibility for London Terror Attack.” The Independent, June 4, 2017. https://www.independent.co.uk/news/uk/home-news/london-terror-attack-isis-claims-responsibility-borough-market-bridge-a7772776.html.

Defense Advanced Research Projects Agency. “Paving the Way to the Modern Internet.” DARPA | Defense Advanced Research Projects Agency, 2021. https://www.darpa.mil/about-us/timeline/modern-internet.

Deibert, Ronald J. “Black Code Redux: Censorship, Surveillance, and the Militarization of Cyberspace.” In Digital Media and Democracy: Tactics in Hard Times, edited by Megan Boler, 137–64. London: The MIT Press, 2008.

Deibert, Ronald J., Rafal Rohozinski, and Masashi Crete-Nishihata. “Cyclones in Cyberspace: Information Shaping and Denial in the 2008 Russia–Georgia War.” Security Dialogue 43, no. 1 (February 1, 2012): 3–24. https://doi.org/10.1177/0967010611431079.

Deloitte. “Transforming Cybersecurity in the Financial Services Industry: New Approaches for an Evolving Threat Landscape.” Johannesburg: Deloitte, 2014.

Department of Foreign Affairs and Trade. “Australia’s International Cyber Engagement Strategy.” Australian Government, 2017. https://web.archive.org/web/20180216140850/https://www.dfat.gov.au/international-relations/themes/cyber-affairs/aices/preliminary_information/introduction.html.

Department of Justice Office of Public Affairs. “Two Chinese Hackers Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including COVID-19 Research.” The United States Department of Justice, July 21, 2020. https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion.

Devlin, Hannah. “AI Programs Exhibit Racial and Gender Biases, Research Reveals.” The Guardian, April 14, 2017. https://www.theguardian.com/technology/2017/apr/13/ai-programs-exhibit-racist-and-sexist-biases-research-reveals.

Dickson, E. J. “Wellness Influencers Are Calling Out QAnon Conspiracy Theorists for Spreading Lies.” Rolling Stone (blog), September 15, 2020.

Bibliography

286

https://www.rollingstone.com/culture/culture-news/qanon-wellness-influencers-seane-corn-yoga-1059856/.

Dizikes, Peter. “Study: On Twitter, False News Travels Faster than True Stories.” MIT News | Massachusetts Institute of Technology, March 8, 2018. https://news.mit.edu/2018/study-twitter-false-news-travels-faster-true-stories-0308.

Dodd, Vikram. “Palace Terror Suspect Was Uber Driver Who Had Tried to Get to Windsor Castle.” the Guardian, August 31, 2017. http://www.theguardian.com/uk-news/2017/sep/01/buckingham-palace-terror-suspect-had-tried-to-get-to-windsor-castle.

Dodd, Vikram, and Matthew Taylor. “London Attack: ‘Aggressive’ and ‘Strange’ Suspect Vowed to ‘Do Some Damage.’” the Guardian, June 20, 2017. http://www.theguardian.com/uk-news/2017/jun/19/several-casualties-reported-after-van-hits-pedestrians-in-north-london.

Doffman, Zak. “Anonymous Hackers Target TikTok: ‘Delete This Chinese Spyware Now.’” Forbes, July 1, 2020. https://www.forbes.com/sites/zakdoffman/2020/07/01/anonymous-targets-tiktok-delete-this-chinese-spyware-now/.

———. “New Coronavirus Warning: These ‘COVID-19 Discounts’ Are Now The Most Dangerous Deals Online.” Forbes, March 19, 2020. https://www.forbes.com/sites/zakdoffman/2020/03/19/new-coronavirus-warning-beware-these-covid-19-discounts-the-most-dangerous-deals-online/.

Donnelly, Jack. “Realism.” In Theories of International Relations, by Scott Burchill, A. Linklater, R. Devetak, M. Paterson, J. Donnelly, C. Reus-Smit, and J. True, 3rd ed. Palgrave Macmillan, 2005. http://dro.deakin.edu.au/view/DU:30010384.

Dorling, Philip. “China Stole Plans for a New Fighter Plane, Spy Documents Have Revealed.” The Sydney Morning Herald, January 18, 2015. https://www.smh.com.au/national/china-stole-plans-for-a-new-fighter-plane-spy-documents-have-revealed-20150118-12sp1o.html.

Douglas, Karen M., and Robbie M. Sutton. “Climate Change: Why the Conspiracy Theories Are Dangerous - Karen M. Douglas, Robbie M. Sutton, 2015.” Bulletin of the Atomic Scientists 71, no. 2 (2015): 98–106. https://doi.org/10.1177/0096340215571908.

Doyle, Julie, Nathan Farrell, and Michael K. Goodman. “Celebrities and Climate Change.” Oxford Research Encyclopedia of Climate Science, September 26, 2017. https://doi.org/10.1093/acrefore/9780190228620.013.596.

Dunlap, Jr., Charles J. “The Police-Ization of the Military.” Journal of Political and Military Sociology 27 (1999): 217–32.

Dunn Cavelty, Myriam. “From Cyber-Bombs to Political Fallout: Threat Representations with an Impact in the Cyber-Security Discourse.” International Studies Review 15, no. 1 (March 2013): 105–22. https://doi.org/10.1111/misr.12023.

Duvenage, P., and S. von Solms. “The Case for Cyber Counterintelligence.” In 2013 International Conference on Adaptive Science and Technology, 1–8, 2013. https://doi.org/10.1109/ICASTech.2013.6707493.

Duvenage, PC, and Sebastian von Solms. “Cyber Counterintelligence: Back to the Future.” Journal of Information Warfare 13, no. 4 (2015): 42–56.

Duvenage, Petrus, Thenjiwe Sithole, and Basie von Solms. “Cyber Counterintelligence: An Exploratory Proposition on a Conceptual Framework.” International Journal of Cyber Warfare and Terrorism 9, no. 4 (October 2019): 44–62. https://doi.org/10.4018/IJCWT.2019100103.

Duvenage, Petrus, Thenjiwe Sithole, and Sebastian von Solms. “A Conceptual Framework for Cyber Counterintelligence: Theory That Really Matters.” In European Conference on Cyber Warfare and Security, 109–19. Reading, United Kingdom: Academic Conferences


287

International Limited, 2017. https://search.proquest.com/docview/1966799163/abstract/9550E79F8887474EPQ/1.

Duvenage, Petrus, and Sebastian von Solms. “Putting Counterintelligence in Cyber Counterintelligence: Back to the Future.” In Proceedings of the 13th European Conference on Cyber Warfare and Security, 70–79. Piraeus, Greece: Academic Conferences International Limited, 2014.

Duvenage, Petrus, Sebastian von Solms, and Manuel Corregedor. “The Cyber Counterintelligence Process - a Conceptual Overview and Theoretical Proposition.” In Published Proceedings of the 14th European Conference on Cyber Warfare and Security, 42–51. Hatfield, UK, 2015.

Eckstein, Harry. “Case Study and Theory in Political Science.” In Case Study Method, edited by Roger Gomm, Martyn Hammersley, and Peter Foster, 118–64. London: SAGE Pulications Ltd, 2009. https://dx.doi.org/10.4135/9780857024367.d11.

Edmunds, Timothy. “What Are Armed Forces For? The Changing Nature of Military Roles in Europe.” International Affairs (Royal Institute of International Affairs 1944-) 82, no. 6 (2006): 1059–75.

Eftimiades, Nicholas. “The Impact of Chinese Espionage on the United States.” The Diplomat, December 4, 2018. https://thediplomat.com/2018/12/the-impact-of-chinese-espionage-on-the-united-states/.

Ehrman, John. “What Are We Talking About When We Talk about Counterintelligence? - CIA.” Studies in Intelligence 53, no. 2 (2009). https://www.cia.gov/resources/csi/studies-in-intelligence/volume-53-no-2/what-are-we-talking-about-when-we-talk-about-counterintelligence-pdf-172-0kb/.

Ellul, Jacques. Propaganda: The Formation of Men’s Attitudes. New York: Vintage Books, 1973. Endres, Kyle, and Kristin J. Kelly. “Does Microtargeting Matter? Campaign Contact Strategies and

Young Voters.” Journal of Elections, Public Opinion and Parties 28, no. 1 (January 2, 2018): 1–18. https://doi.org/10.1080/17457289.2017.1378222.

Espiner, Tom. “Hack Attack Forces DigiNotar Bankruptcy.” ZDNet, September 20, 2011. https://www.zdnet.com/article/hack-attack-forces-diginotar-bankruptcy/.

EU vs Disinfo. “Building Swedish Resilience.” EU vs DISINFORMATION, March 28, 2017. https://euvsdisinfo.eu/building-swedish-resilience/.

———. “In Sweden, Resilience Is Key to Combatting Disinformation.” EU vs DISINFORMATION, July 16, 2018. https://euvsdisinfo.eu/in-sweden-resilience-is-key-to-combatting-disinformation/.

European Parliament. Directorate General for Parliamentary Research Services. “Automated Tackling of Disinformation: Major Challenges Ahead.” Euopean Parliamentary Research Service, 2019. https://data.europa.eu/doi/10.2861/368879.

European Union Agency for Cybersecurity. “CSIRT Inventory.” Topic. ENISA | European Union Agency for Cybersecurity, 2021. https://www.enisa.europa.eu/topics/csirts-in-europe/csirt-inventory.

Fabre, Cecile. “Cosmopolitanism, Just War Theory and Legitimate Authority.” International Affairs 84, no. 5 (September 1, 2008): 963–76. https://doi.org/10.1111/j.1468-2346.2008.00749.x.

Fallis, Don. “A Conceptual Analysis of Disinformation.” In IConference 2009 Proceedings, 8. University of Illinois, 2009. http://hdl.handle.net/2142/15205.

Farwell, James P. “The Media Strategy of ISIS.” Survival 56, no. 6 (November 2, 2014): 49–55. https://doi.org/10.1080/00396338.2014.985436.

Farwell, James P., and Rafal Rohozinski. “Stuxnet and the Future of Cyber War.” Survival 53, no. 1 (February 2011): 23–40. https://doi.org/10.1080/00396338.2011.555586.

Fazzini, Kate. “Toys and Apps Often Track Your Kids and Collect Information about Them — Here’s How to Keep Them Safe.” CNBC, November 24, 2018. https://www.cnbc.com/2018/11/23/connected-toys-privacy-risks.html.

Bibliography

288

Federal Bureau of Investigation. “Aldrich Ames.” Page. Federal Bureau of Investigation, 2012. https://www.fbi.gov/history/famous-cases/aldrich-ames.

———. “Robert Hanssen.” Page. Federal Bureau of Investigation, 2001. https://www.fbi.gov/history/famous-cases/robert-hanssen.

Fenwick, Mark, Wulf A. Kaal, and Erik P. M. Vermeulen. “Regulation Tomorrow: What Happens When Technology Is Faster Than the Law?” American University Business Law Review 6, no. 3 (2016): 561–94. https://doi.org/10.2139/ssrn.2834531.

Fernandes, Rossi. “Flame Malware Controllers Send Uninstall Command.” Tech2, 11:02:51 +05:30. https://www.firstpost.com/tech/news-analysis/flame-malware-controllers-send-uninstall-command-3601111.html.

Ferrara, Emilio, Herbert Chang, Emily Chen, Goran Muric, and Jaimin Patel. “Characterizing Social Media Manipulation in the 2020 U.S. Presidential Election.” First Monday, October 19, 2020. https://doi.org/10.5210/fm.v25i11.11431.

Fetzer, James H. “Disinformation: The Use of False Information.” Minds and Machines 14, no. 2 (May 2004): 231–40. https://doi.org/10.1023/B:MIND.0000021683.28604.5b.

FireEye. “Advanced Persistent Threat Groups (APT Groups).” FireEye, 2021. https://www.fireeye.com/current-threats/apt-groups.html.

Floyd, Rita. “Can Securitization Theory Be Used in Normative Analysis? Towards a Just Securitization Theory.” Security Dialogue 42, no. 4–5 (2011): 427–39. https://doi.org/10.1177/0967010611418712.

———. “Towards a Consequentialist Evaluation of Security: Bringing Together the Copenhagen and the Welsh Schools of Security Studies.” Review of International Studies 33, no. 2 (2007): 327–50.

Forum of Incident Response and Security Teams. “FIRST Teams.” FIRST — Forum of Incident Response and Security Teams, 2021. https://www.first.org/members/teams.

Fraser, Nalani, Fred Plan, Jacqueline O’Leary, Vincent Cannon, Leong Raymond, Dan Perez, and Chi-en Shen. “APT41: A Dual Espionage and Cyber Crime Operation.” FireEye, August 7, 2019. https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html.

French, Geoffrey S., and Jin Kim. “Acknowledging the Revolution: The Urgent Need for Cyber Counterintelligence.” National Intelligence Journal 1, no. 1 (2009): 71–90.

Fridman, Ofer. “‘Information War’ as the Russian Conceptualisation of Strategic Communications.” The RUSI Journal 165, no. 1 (January 2, 2020): 44–53. https://doi.org/10.1080/03071847.2020.1740494.

Friedman, Uri. “Putin Said in Helsinki He Wanted Trump to Win.” The Atlantic, July 19, 2018. https://www.theatlantic.com/international/archive/2018/07/putin-trump-election-translation/565481/.

Fruhlinger, Josh. “Equifax Data Breach FAQ: What Happened, Who Was Affected, What Was the Impact?” CSO Online, February 12, 2020. https://www.csoonline.com/article/3444488/equifax-data-breach-faq-what-happened-who-was-affected-what-was-the-impact.html.

———. “Marriott Data Breach FAQ: How Did It Happen and What Was the Impact?” CSO Online, February 12, 2020. https://www.csoonline.com/article/3441220/marriott-data-breach-faq-how-did-it-happen-and-what-was-the-impact.html.

———. “The Mirai Botnet Explained: How IoT Devices Almost Brought down the Internet.” CSO Online, March 9, 2018. https://www.csoonline.com/article/3258748/the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internet.html.

Fryxell, Alma. “Psywar By Forgery.” Studies in Intelligence, 1961. https://doi.org/10.1037/e740372011-001.


289

Funke, Daniel, and Daniela Flamini. “A Guide to Anti-Misinformation Actions around the World.” Poynter (blog). Accessed May 22, 2021. https://www.poynter.org/ifcn/anti-misinformation-actions/.

Gady, Franz-Stefan. “New Snowden Documents Reveal Chinese Behind F-35 Hack.” The Diplomat, January 27, 2015. https://thediplomat.com/2015/01/new-snowden-documents-reveal-chinese-behind-f-35-hack/.

———. “What the Gulf War Teaches About the Future of War.” The Diplomat, March 2, 2018. https://thediplomat.com/2018/03/what-the-gulf-war-teaches-about-the-future-of-war/.

Galison, Peter. “The Journalist, the Scientist, and Objectivity.” In Objectivity in Science, edited by Flavia Padovani, Alan Richardson, and Jonathan Y. Tsou, Vol. 310. Boston Studies in the Philosophy and History of Science. Cham: Springer International Publishing, 2015. https://doi.org/10.1007/978-3-319-14349-1.

Garrett, R. Kelly. “Social Media’s Contribution to Political Misperceptions in U.S. Presidential Elections.” PLOS ONE 14, no. 3 (March 27, 2019): e0213500. https://doi.org/10.1371/journal.pone.0213500.

Gaskell, Adi. “State Sponsored Cyberattacks Are Happening Right Now.” CyberNews, June 23, 2020. https://cybernews.com/news/state-sponsored-cyberattacks-are-happening-right-now/.

———. “The Rise in State-Sponsored Hacking in 2020.” CyberNews, February 5, 2020. https://cybernews.com/security/the-rise-in-state-sponsored-hacking/.

George, Alexander L., and Andrew Bennett. Case Studies and Theory Development in the Social Sciences. Cambridge: The MIT Press, 2005.

Gerstein, Josh. “U.S. Brings First Charge for Meddling in 2018 Midterm Elections.” POLITICO, October 19, 2018. https://politi.co/2Ajbubq.

Glenza, Jessica. “Russian Trolls ‘spreading Discord’ over Vaccine Safety Online.” the Guardian, August 23, 2018. http://www.theguardian.com/society/2018/aug/23/russian-trolls-spread-vaccine-misinformation-on-twitter.

Gold, Matea, Maggie Farley, and Print. “World Trade Center and Pentagon Attacked on Sept. 11, 2001.” Los Angeles Times, September 12, 2001. https://www.latimes.com/travel/la-xpm-2001-sep-12-na-sept-11-attack-201105-01-story.html.

Goldberg, David. “Lessons from Standing Rock - Of Water, Racism, and Solidarity.” The New England Journal of Medicine 384, no. 14 (2017): 1403–5.

Goldman, Adam. “Justice Dept. Accuses Russians of Interfering in Midterm Elections.” The New York Times, October 19, 2018, sec. U.S. https://www.nytimes.com/2018/10/19/us/politics/russia-interference-midterm-elections.html.

Golovchenko, Yevgeniy, Mareike Hartmann, and Rebecca Adler-Nissen. “State, Media and Civil Society in the Information Warfare over Ukraine: Citizen Curators of Digital Disinformation.” International Affairs 94, no. 5 (2018): 975–94.

Goodin, Dan. “Discovery of New ‘Zero-Day’ Exploit Links Developers of Stuxnet, Flame.” Ars Technica, June 12, 2012. https://arstechnica.com/information-technology/2012/06/zero-day-exploit-links-stuxnet-flame/.

Gordon, Michael R., and Dustin Volz. “Russian Disinformation Campaign Aims to Undermine Confidence in Pfizer, Other Covid-19 Vaccines, U.S. Officials Say.” Wall Street Journal, March 7, 2021, sec. Politics. https://www.wsj.com/articles/russian-disinformation-campaign-aims-to-undermine-confidence-in-pfizer-other-covid-19-vaccines-u-s-officials-say-11615129200.

Gottlieb, Benjamin. “Flame FAQ: All You Need to Know about the Virus.” Washington Post, June 20, 2012. https://web.archive.org/web/20170225103056/https://www.washingtonpost.com/blog

Bibliography

290

s/blogpost/post/flame-faq-all-you-need-to-know-about-the-virus/2012/06/20/gJQAAlrTqV_blog.html.

Government Offices of Sweden. “A Practical Approach on How to Cope with Disinformation.” Government Offices of Sweden, October 6, 2017. https://www.government.se/articles/2017/10/a-practical-approach-on-how-to-cope-with-disinformation/.

———. “Kommittédirektiv - En ny myndighet för psykologiskt försvar (Committee Directive: A New Authority for Psychological Defence).” Stockholm, 2018. https://perma.cc/GCF8-Z6HV.

Goyal, Ravish, Suren Sharma, Savitri Bevinakoppa, and Paul Watters. “Obfuscation of Stuxnet and Flame Malware.” Latest Trends in Applied Informatics and Computing, 2012, 5.

Graff, Garrett M. “The Mirai Botnet Was Part of a College Student Minecraft Scheme.” Wired, December 13, 2017. https://web.archive.org/web/20180210043047/https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/.

Grassi, Paul A, Michael E Garcia, and James L Fenton. “Digital Identity Guidelines.” Gaithersburg, MD: National Institute of Standards and Technology, June 22, 2017. https://doi.org/10.6028/NIST.SP.800-63-3.

Grattan, Michelle. “The Politics of Spin.” Australian Studies in Journalism, 1998, 32–45. Gray, Colin S. The Implications of Preemptive and Preventive War Doctrines: A Reconsideration. Carlisle

Barracks, PA: Strategic Studies Institute, U.S. Army War College, 2007. Greenberg, Andy. “Anonymous’ Most Notorious Hacker Is Back, and He’s Gone Legit.” Wired,

October 21, 2016. https://www.wired.com/2016/10/anonymous-notorious-hacker-back-hes-gone-legit/.

———. “Hack Brief: As FBI Warns Election Sites Got Hacked, All Eyes Are on Russia.” Wired, August 29, 2016. https://www.wired.com/2016/08/hack-brief-fbi-warns-election-sites-got-hacked-eyes-russia/.

———. “How 30 Lines of Code Blew Up a 27-Ton Generator.” Wired, October 23, 2020. https://www.wired.com/story/how-30-lines-of-code-blew-up-27-ton-generator/.

———. “The Colonial Pipeline Hack Is a New Extreme for Ransomware.” Wired. Accessed July 3, 2021. https://www.wired.com/story/colonial-pipeline-ransomware-attack/.

———. “The NSA Confirms It: Russia Hacked French Election ‘Infrastructure.’” Wired, May 9, 2017. https://www.wired.com/2017/05/nsa-director-confirms-russia-hacked-french-election-infrastructure/.

———. “The Strange Journey of an NSA Zero-Day—Into Multiple Enemies’ Hands.” Wired, May 7, 2019. https://www.wired.com/story/nsa-zero-day-symantec-buckeye-china/.

Greenemeier, Larry. “False News Travels 6 Times Faster on Twitter than Truthful News.” PBS NewsHour, March 9, 2018. https://www.pbs.org/newshour/science/false-news-travels-6-times-faster-on-twitter-than-truthful-news.

Greenpeace International. “Greenpeace International.” Greenpeace International, 2021. https://www.greenpeace.org/international.

Greenwald, Glenn. No Place to Hide: Edward Snowden, the NSA and the Surveillance State. Melbourne: Hamish Hamilton, 2014.

Griffiths, Sarah. “Artefacts Destroyed by ISIS Restored in 3D Models by ‘Cyber Archaeology.’” Daily Mail, May 20, 2015. https://www.dailymail.co.uk/sciencetech/article-3087731/Cyber-archaeology-rebuilds-lost-treasures-Public-project-uses-photos-create-3D-models-artefacts-destroyed-ISIS.html.

Guccione, Darren. “What Is the Dark Web? How to Access It and What You’ll Find.” CSO Online, November 18, 2020. https://www.csoonline.com/article/3249765/what-is-the-dark-web-how-to-access-it-and-what-youll-find.html.


291

Guerrero-Saade, Juan Andres, Costin Raiu, Daniel Moore, and Thomas Rid. “Penquin’s Moonlit Maze: The Dawn of Nation-State Digital Espionage.” Kaspersky Lab, 2018. https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180251/Penquins_Moonlit_Maze_PDF_eng.pdf.

Haataja, Samuli. “The 2007 Cyber Attacks against Estonia and International Law on the Use of Force: An Informational Approach.” Law, Innovation and Technology 9, no. 2 (July 3, 2017): 159–89. https://doi.org/10.1080/17579961.2017.1377914.

Haemmerli, Bernard, and Andrea Renda. “Protecting Critical Infrastructure in the EU.” Centre for European Policy Studies (blog), December 16, 2010. https://www.ceps.eu/ceps-publications/protecting-critical-infrastructure-eu/.

Hammersley, Ben. Approaching the Future: 64 Things You Need to Know Now for Then. Soft Skull Press, 2013.

Harding, Luke. The Snowden Files: The Inside Story of the World’s Most Wanted Man. New York: Vintage Books, 2014.

Haskell-Dowland, Paul. “Facebook Data Breach: What Happened and Why It’s Hard to Know If Your Data Was Leaked.” The Conversation, April 6, 2021. http://theconversation.com/facebook-data-breach-what-happened-and-why-its-hard-to-know-if-your-data-was-leaked-158417.

Hass, Rabea. “The Role of Media in Conflict and Their Influence on Securitisation.” The International Spectator 44, no. 4 (December 2009): 77–91. https://doi.org/10.1080/03932720903351187.

Haubrich, Dirk. “September 11, Anti-Terror Laws and Civil Liberties: Britain, France and Germany Compared 1.” Government and Opposition 38, no. 1 (ed 2003): 3–28. https://doi.org/10.1111/1477-7053.00002.

Hay Newman, Lily. “The Midterm Elections Are Already Under Attack.” Wired, July 20, 2018. https://www.wired.com/story/midterm-elections-vulnerabilities-phishing-ddos/.

Healey, Jason, and Robert Jervis. “The Escalation Inversion and Other Oddities of Situational Cyber Stability.” Texas National Security Review, September 28, 2020. http://tnsr.org/2020/09/the-escalation-inversion-and-other-oddities-of-situational-cyber-stability/.

Heemskerk, Eelke, Jan Fichtner, and Milan Babic. “Who Is More Powerful – States or Corporations?” The Conversation, July 11, 2018. http://theconversation.com/who-is-more-powerful-states-or-corporations-99616.

Heinegg, Wolff Heintschel von. “Legal Implications of Territorial Sovereignty in Cyberspace.” In 4th International Conference on Cyber Conflict, edited by C. Czossek, K. Ziolkowski, and R. Ottis. NATO CCDCOE Publications, 2012.

Henley, Jon. “Russia Waging Information War against Sweden, Study Finds.” the Guardian, January 11, 2017. http://www.theguardian.com/world/2017/jan/11/russia-waging-information-war-in-sweden-study-finds.

Henschke, Adam. Ethics in an Age of Surveillance: Personal Information and Virtual Identities. Cambridge: Cambridge University Press, 2017. https://doi.org/10.1017/9781316417249.

———. “Privacy, the Internet of Things and State Surveillance: Handling Personal Information within an Inhuman System.” Moral Philosophy and Politics 7, no. 1 (May 26, 2020): 123–49. https://doi.org/10.1515/mopp-2019-0056.

Henschke, Adam, and Alastair Reed. “Toward an Ethical Framework for Countering Extremist Propaganda Online.” Studies in Conflict & Terrorism, March 8, 2021, 1–18. https://doi.org/10.1080/1057610X.2020.1866744.

Henschke, Adam, Matthew Sussex, and Courteney O’Connor. “Countering Foreign Interference: Election Integrity Lessons for Liberal Democracies.” Journal of Cyber Policy 5, no. 2 (2020): 180–98.

Bibliography

292

Hensel, Howard M. “Christian Belief and Western Just War Thought.” In The Prism of Just War: Asian and Western Perspectives on the Legitimate Use of Military Force, edited by Howard M. Hensel, 29–86. Justice, International Law and Global Security. Farnham: Ashgate Publishing Limited, 2010.

Herzog, Stephen. “Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational Responses.” Journal of Strategic Security 4, no. 2 (2011): 49–60.

Hoffman, Bruce. Inside Terrorism. 3rd ed. Columbia Studies in Terrorism and Irregular Warfare. New York: Columbia University Press, 2017.

Hofverberg, Elin. “Government Responses to Disinformation on Social Media Platforms.” Web page, September 2019. https://www.loc.gov/law/help/social-media-disinformation/sweden.php#_ftn44.

———. “Initiatives to Counter Fake News.” Web page. Library of Congress, April 2019. https://www.loc.gov/law/help/fake-news/sweden.php.

Holmes, Aaron. “533 Million Facebook Users’ Phone Numbers and Personal Data Have Been Leaked Online.” Business Insider Australia, April 3, 2021. https://www.businessinsider.com.au/stolen-data-of-533-million-facebook-users-leaked-online-2021-4.

Hooker, Claire. “How to Cut through When Talking to Anti- Vaxxers and Anti-Fluoriders.” The Conversation, February 17, 2017, 3.

House of Commons Digital, Culture, Media and Sport Committee. “Disinformation and ‘Fake News’: Final Report,” 2019. https://publications.parliament.uk/pa/cm201719/cmselect/cmcumeds/1791/179102.htm.

Howard, John. “Application of the ANZUS Treaty to Terrorist Attacks on the United States.” Prime Minister of Australia | John Howard, September 14, 2001. https://web.archive.org/web/20051022123644/http://www.pm.gov.au/news/media_releases/2001/media_release1241.htm.

Hsu, Jeremy. “Strava Data Heat Maps Expose Military Base Locations Around the World.” Wired, January 29, 2018. https://www.wired.com/story/strava-heat-map-military-bases-fitness-trackers-privacy/.

http://www.jcs.mil, Joint Chiefs of Staff: “DOD Dictionary of Military and Associated Terms (June 2018).” United States. Joint Chiefs of Staff, June 1, 2018. https://www.hsdl.org/?abstract&did=.

Hultqvist, Peter. “Sweden’s Defense Minister: Additional Resources Are Coming to Bolster National Security, Alliances.” Defense News, January 11, 2021. https://www.defensenews.com/outlook/2021/01/11/swedens-defense-minister-additional-resources-are-coming-to-bolster-national-security-alliances/.

Human Rights Watch. “Transfer of Military Hardware to Police Could Lead to Abuses.” Human Rights Watch, August 30, 2017. https://www.hrw.org/news/2017/08/30/transfer-military-hardware-police-could-lead-abuses.

Hunt, Jennifer. “The COVID-19 Pandemic vs Post-Truth.” Global Health Security Network, 2020. https://www.ghsn.org/resources/Documents/GHSN%20Policy%20Report%201.pdf.

Information Commissioner’s Office. “Guide to the UK General Data Protection Regulation (UK GDPR).” Information Commissioner’s Office. ICO, 2021. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/.

Information Warfare Monitor. “Tracking GhostNet: Investigating a Cyber Espionage Network.” The Citizen lab & The SecDev Group, 2009. https://citizenlab.ca/wp-content/uploads/2017/05/ghostnet.pdf.


293

Ingram, Haroro J. A Brief History of Propaganda During Conflict: Lessons for Counter-Terrorism Strategic Communications. ICCT Research Paper. The Hague: The International Centre for Counter-terrorism, 2016. https://books.google.com.au/books?id=XRWTAQAACAAJ.

Inkster, Nigel. “China in Cyberspace.” Survival 52, no. 4 (September 2010): 55–66. https://doi.org/10.1080/00396338.2010.506820.

International Cyber Center. “C.E.R.T in Rest of the World.” International Cyber Center | George Mason University, 2021. http://www.internationalcybercenter.org/certicc/certworld.

International Telecommunications Union. “National Cybersecurity Strategies Repository.” ITU | International Telecommunications Union, 2021. https://www.itu.int:443/en/ITU-D/Cybersecurity/Pages/National-Strategies-repository.aspx.

INTERPOL. “INTERPOL Member Countries.” INTERPOL, 2020. https://www.interpol.int/en/Who-we-are/Member-countries.

Interpol. “INTERPOL Report Shows Alarming Rate of Cyberattacks during COVID-19.” Interpol, August 4, 2020. https://www.interpol.int/en/News-and-Events/News/2020/INTERPOL-report-shows-alarming-rate-of-cyberattacks-during-COVID-19.

Intersoft Consulting. “General Data Protection Regulation (GDPR) – Official Legal Text.” General Data Protection Regulation (GDPR), September 2, 2019. https://gdpr-info.eu/.

Isaak, J., and M. J. Hanna. “User Data Privacy: Facebook, Cambridge Analytica, and Privacy Protection.” Computer 51, no. 8 (August 2018): 56–59. https://doi.org/10.1109/MC.2018.3191268.

Jacobsen, Katja Lindskov. The Politics of Humanitarian Technology: Good Intentions, Unintended Consequences and Insecurity. Routledge, 2015.

Jain, Riddhi. “A Complete Facebook Data Breach & Privacy Leak Timeline (2005 to 2021).” iTMunch, April 14, 2021. https://itmunch.com/facebook-data-breach-timeline-2005-2021/.

Jenkins, Simon. “The US and Britain Face No Existential Threat. So Why Do Their Wars Go On?” the Guardian, November 15, 2019. http://www.theguardian.com/commentisfree/2019/nov/15/britain-and-us-wars-conflicts-middle-east.

Johnson, Loch K, and James J Wirtz. Intelligence: The Secret World of Spies : An Anthology. New York: Oxford University Press, 2011.

Jones, Christopher W. “Understanding ISIS’s Destruction of Antiquities as a Rejection of Nationalism.” Journal of Eastern Mediterranean Archaeology & Heritage Studies 6, no. 1–2 (2018): 31–58. https://doi.org/10.5325/jeasmedarcherstu.6.1-2.0031.

Jowett, Garth S., and Victoria O’Donnell. Propaganda & Persuasion. Newbury Park: SAGE Publications, 2018.

Joyce, Sean, Kristin Rivera, Brian Castelli, Joseph Nocera, and Emily Stapf. “How to Protect Your Companies from Rising Cyber Attacks and Fraud amid the COVID-19 Outbreak.” PwC, March 2, 2021. https://www.pwc.com/us/en/library/covid-19/cyber-attacks.html.

Kahney, Leander. “The FBI Wanted a Backdoor to the IPhone. Tim Cook Said No.” Wired, April 16, 2019. https://www.wired.com/story/the-time-tim-cook-stood-his-ground-against-fbi/.

Kalsnes, Bente. “Fake News.” In Oxford Research Encyclopedia of Communication. Oxford: Oxford University Press, 2018. https://doi.org/10.1093/acrefore/9780190228613.013.809.

Kalyvas, Andreas. Democracy and the Politics of the Extraordinary: Max Weber, Carl Schmitt, and Hannah Arendt. Cambridge: Cambridge University Press, 2008. https://doi.org/10.1017/CBO9780511755842.

Kang, Cecilia, and Mike Isaac. “Defiant Zuckerberg Says Facebook Won’t Police Political Speech.” The New York Times, October 17, 2019, sec. Business.

Bibliography

294

https://www.nytimes.com/2019/10/17/business/zuckerberg-facebook-free-speech.html.

Kaspersky. “What Is a Whaling Attack?” Kaspersky, 2021. https://www.kaspersky.com/resource-center/definitions/what-is-a-whaling-attack.

———. “What Is the Deep and Dark Web?” www.kaspersky.com, January 13, 2021. https://www.kaspersky.com/resource-center/threats/deep-web.

Kaspersky ICS CERT. “Energetic Bear / Crouching Yeti: Attacks on Servers.” Kaspersky ICS CERT | Kaspersky Industrial Control Systems Cyber Emergency Response Team (blog), April 23, 2018. https://ics-cert.kaspersky.com/reports/2018/04/23/energetic-bear-crouching-yeti-attacks-on-servers/.

Katz, Rita. “To Curb Terrorist Propaganda Online, Look to YouTube. No, Really. | WIRED,” October 20, 2018. https://www.wired.com/story/to-curb-terrorist-propaganda-online-look-to-youtube-no-really/.

Katz, Steven T., and Richard Landes. The Paranoid Apocalypse : A Hundred-Year Retrospective on the Protocols of the Elders of Zion. 1st ed. Vol. 3. Elie Wiesel Center for Judaic Studies. New York University Press, 2011.

Kavanagh, Camino. “New Tech, New Threats, and New Governance Challenges: An Opportunity to Craft Smarter Responses?” Carnegie Endowment for International Peace, August 28, 2019. https://carnegieendowment.org/2019/08/28/new-tech-new-threats-and-new-governance-challenges-opportunity-to-craft-smarter-responses-pub-79736.

Kaysen, Carl, Robert S. McNamara, and George W. Rathjens. “Nuclear Weapons After the Cold War,” June 21, 2018. https://www.foreignaffairs.com/articles/1991-09-01/nuclear-weapons-after-cold-war.

Kelly, Ross. “Almost 90% of Cyber Attacks Are Caused by Human Error or Behavior.” ChiefExecutive.Net (blog), March 3, 2017. https://chiefexecutive.net/almost-90-cyber-attacks-caused-human-error-behavior/.

Kharpal, Arjun. “Apple vs FBI: All You Need to Know.” CNBC, March 29, 2016. https://www.cnbc.com/2016/03/29/apple-vs-fbi-all-you-need-to-know.html.

Kim, Young Mie, Jordan Hsu, David Neiman, Colin Kou, Levi Bankston, Soo Yun Kim, Richard Heinrich, Robyn Baragwanath, and Garvesh Raskutti. “The Stealth Media? Groups and Targets behind Divisive Issue Campaigns on Facebook.” Political Communication 35, no. 4 (October 2, 2018): 515–41. https://doi.org/10.1080/10584609.2018.1476425.

Kimsey, John. “‘The Ends of a State’: James Angleton, Counterintelligence and the New Criticism.” The Space Between: Literature and Culture 1914-1945 13 (2017). https://scalar.usc.edu/works/the-space-between-literature-and-culture-1914-1945/vol13_2017_kimsey.

King, Gary, Robert O. Keohane, and Sidney Verba. Designing Social Inquiry: Scientific Inference in Qualitative Research. Princeton: Princeton University Press, 1994.

Knake, Robert K. Untangling Attribution: Moving to Accountability in Cyberspace, § Subcommittee on Technology and Innovation of the United States House of Representatives (2010).

Knudsen, Olav F. “Post-Copenhagen Security Studies: Desecuritizing Securitization.” Security Dialogue 32, no. 3 (2001): 355–68.

Kobie, Nicole. “The Internet of Things: Convenience at a Price.” the Guardian, March 30, 2015. http://www.theguardian.com/technology/2015/mar/30/internet-of-things-convenience-price-privacy-security.

Kollars, Nina. “Cyber Conflict as an Intelligence Competition in an Era of Open Innovation.” Texas National Security Review Special Issue: Cyber Conflict as an Intelligence Contest (2020). https://tnsr.org/roundtable/policy-roundtable-cyber-conflict-as-an-intelligence-contest/.


295

Kostadinov, Dimitar. “GhostNet - Part I.” InfoSec, 2013. https://resources.infosecinstitute.com/topic/ghostnet-part-i/.

Kragh, Martin, and Sebastian Åsberg. “Russia’s Strategy for Influence through Public Diplomacy and Active Measures: The Swedish Case.” Journal of Strategic Studies 40, no. 6 (September 19, 2017): 773–816. https://doi.org/10.1080/01402390.2016.1273830.

Krawchenko, Katiana, Donald Judd, Nancy Cordes, Julianna Goldman, Reena Flores, Rebecca Shabad, Emily Schultheis, Alexander Romano, Steve Chaggaris, and Associated Press. “The John Podesta Emails Released by WikiLeaks.” CBS News, November 3, 2016. https://www.cbsnews.com/news/the-john-podesta-emails-released-by-wikileaks/.

Krebs, Brian. “Adobe Breach Impacted At Least 38 Million Users – Krebs on Security.” Krebs On Security (blog), 2013. https://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-million-users/.

———. “Who Makes the IoT Things Under Attack?” Krebs on Security (blog), October 3, 2016. https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/.

Kriel, Charles. “Fake News, Fake Wars, Fake Worlds.” Defence Strategic Communications 3 (2017): 171–89.

Lake, David A., and Patrick M. Morgan. Regional Orders: Building Security in a New World. University Park: Penn State Press, 2010.

Lane, Temryss MacLean. “The Frontline of Refusal: Indigenous Women Warriors of Standing Rock.” International Journal of Qualitative Studies in Education 31, no. 3 (March 16, 2018): 197–214. https://doi.org/10.1080/09518398.2017.1401151.

Lapowsky, Issie. “NATO Group Catfished Soldiers to Prove a Point About Privacy.” Wired, February 18, 2019. https://www.wired.com/story/nato-stratcom-catfished-soldiers-social-media/.

Lawrence, T.E. “Science of Guerilla Warfare.” In Strategic Studies: A Reader, edited by Thomas G. Mahnken and Joseph A. Maiolo. Oxon: Routledge, 2008.

Lawton, Graham. “Conspiracy Theories.” New Scientist, 2021. https://www.newscientist.com/definition/conspiracy-theories/.

Le Masurier, Megan. “Slow Journalism in an Age of Forgetting.” Opinion. ABC Religion & Ethics. Australian Broadcasting Corporation, June 18, 2019. https://www.abc.net.au/religion/slow-journalism-in-an-age-of-forgetting/11221092.

Leahy, Stephen. “Climate Change Driving Entire Planet to Dangerous ’global Tipping Point‘.” Science, November 27, 2019. https://www.nationalgeographic.com/science/article/earth-tipping-point.

Lee, Nathaniel. “How Police Militarization Became an over $5 Billion Business Coveted by the Defense Industry.” CNBC, July 9, 2020. https://www.cnbc.com/2020/07/09/why-police-pay-nothing-for-military-equipment.html.

Lee, Sangwon, and Michael Xenos. “Social Distraction? Social Media Use and Political Knowledge in Two U.S. Presidential Elections.” Computers in Human Behavior 90 (January 1, 2019): 18–25. https://doi.org/10.1016/j.chb.2018.08.006.

Lemos, Rob. “Why the Hack-Back Is Still the Worst Idea in Cybersecurity.” TechBeacon. Accessed April 10, 2021. https://techbeacon.com/security/why-hack-back-still-worst-idea-cybersecurity.

Lempert, Richard. “PRISM and Boundless Informant: Is NSA Surveillance a Threat?” Brookings (blog), November 30, 1AD. https://www.brookings.edu/blog/up-front/2013/06/13/prism-and-boundless-informant-is-nsa-surveillance-a-threat/.

Lenton, Timothy M., Johan Rockström, Owen Gaffney, Stefan Rahmstorf, Katherine Richardson, Will Steffen, and Hans Joachim Schellnhuber. “Climate Tipping Points — Too Risky to Bet Against.” Nature 575, no. 7784 (November 2019): 592–95. https://doi.org/10.1038/d41586-019-03595-0.

Bibliography

296

Lesk, M. “The New Front Line: Estonia under Cyberassault.” IEEE Security Privacy 5, no. 4 (July 2007): 76–79. https://doi.org/10.1109/MSP.2007.98.

Lewandowsky, Stephan, Ullrich K. H. Ecker, Colleen M. Seifert, Norbert Schwartz, and John Cook. “Misinformation and Its Correction: Continued Influence and Successful Debiasing.” Psychological Science in the Public Interest 13, no. 3 (n.d.): 106–31.

Li, Jianing. “Toward a Research Agenda on Political Misinformation and Corrective Information.” Political Communication 37, no. 1 (January 2, 2020): 125–35. https://doi.org/10.1080/10584609.2020.1716499.

Liang, Christina Schori. “Cyber Jihad: Understanding and Countering Islamic State Propaganda.” GCSP Policy Paper. Geneva: Geneva Centre for Security Policy, 2015. https://www.jugendundmedien.ch/fileadmin/PDFs/anderes/schwerpunkt_Radikalisierung/Cyber_Jihad_-_Understanding_and_Countering_Islamic_State_Propaganda.pdf.

Lieber, Chavie. “Big Tech Has Your Kid’s Data — and You Probably Gave It to Them.” Vox, December 5, 2018. https://www.vox.com/the-goods/2018/12/5/18128066/children-data-surveillance-amazon-facebook-google-apple.

Lieber, Keir. “The Offense-Defense Balance and Cyber Warfare.” In Cyber Analogies, edited by Emily O. Goldman and John Arquilla, 96–107. United States Cyber Command, 2014.

Locatelli, Andrea. “The Offense/Defense Balance in Cyberspace.” Working Paper. Milan, 2013. https://publires.unicatt.it/en/publications/the-offensedefense-balance-in-cyberspace-10.

Löfgren, Emma. “How Sweden’s Getting Ready for the Election-Year Information War.” The Local, April 11, 2018. https://web.archive.org/web/20180411113218/https://www.thelocal.se/20171107/how-swedens-getting-ready-for-the-election-year-information-war.

Löfven. “Statsminister Stefan Löfven (S): ”Så ska vi skydda valrörelsen från andra staters påverkan”.” DN. debatt, March 21, 2017. https://web.archive.org/web/20170321054938/https://www.dn.se/debatt/sa-ska-vi-skydda-valrorelsen-fran-andra-staters-paverkan/.

Lohrmann, Dan. “2020: The Year the COVID-19 Crisis Brought a Cyber Pandemic.” Government Technology, December 12, 2020. https://www.govtech.com/blogs/lohrmann-on-cybersecurity/2020-the-year-the-covid-19-crisis-brought-a-cyber-pandemic.html.

Lowenthal, Mark. Intelligence: From Secrets to Policy. 8th ed. Thousand Oaks: SAGE Pulications, Inc, 2020.

Lynn III, William J. “Cybersecurity - Defending a New Domain.” U.S. Department of Defense, 2010. https://archive.defense.gov/home/features/2010/0410_cybersec/lynn-article1.aspx.

Ma, Alexandra. “Parsons Green: Details on London Underground Bomb.” Insider, September 18, 2017. https://www.businessinsider.com/parsons-green-london-underground-attack-bomb-not-worked-properly-experts-2017-9?r=AU&IR=T.

MacFarquhar, Neil. “A Powerful Russian Weapon: The Spread of False Stories.” The New York Times, August 28, 2016, sec. World. https://www.nytimes.com/2016/08/29/world/europe/russia-sweden-disinformation.html.

MacIntyre, Ben. Double Cross: The True Story of the D-Day Spies. London: Bloomsbury Publishing, 2012. https://www.bloomsbury.com/uk/double-cross-9781408819906/.

———. “Operation Mincemeat.” Bloomsbury Publishing, 2010. https://www.bloomsbury.com/uk/operation-mincemeat-9781408809211/.

Mahr, Krista. “How Cape Town Was Saved from Running out of Water.” the Guardian, May 4, 2018. http://www.theguardian.com/world/2018/may/04/back-from-the-brink-how-cape-town-cracked-its-water-crisis.


297

Manjikian, Mary. Cybersecurity Ethics: An Introduction. Oxon: Routledge, 2017. https://www.routledge.com/Cybersecurity-Ethics-An-Introduction/Manjikian/p/book/9781138717527.

Mansfield-Devine, Steve. “Estonia: What Doesn’t Kill You Makes You Stronger | Elsevier Enhanced Reader.” Network Security, 2012. https://doi.org/10.1016/S1353-4858(12)70065-X.

Mareš, Miroslav, and Veronika Netolická. “Georgia 2008: Conflict Dynamics in the Cyber Domain.” Strategic Analysis 44, no. 3 (May 3, 2020): 224–40. https://doi.org/10.1080/09700161.2020.1778278.

Marshall, Michael. “The Tipping Points at the Heart of the Climate Crisis.” the Guardian, September 19, 2020. http://www.theguardian.com/science/2020/sep/19/the-tipping-points-at-the-heart-of-the-climate-crisis.

Masters, Jonathan. “Russia, Trump, and the 2016 U.S. Election.” Council on Foreign Relations, February 26, 2018. https://www.cfr.org/backgrounder/russia-trump-and-2016-us-election.

Matz, S. C., M. Kosinski, G. Nave, and D. J. Stillwell. “Psychological Targeting as an Effective Approach to Digital Mass Persuasion.” Proceedings of the National Academy of Sciences 114, no. 48 (November 28, 2017): 12714. https://doi.org/10.1073/pnas.1710966114.

Mazzetti, Mark. The Way of the Knife: The CIA, A Secret Army, and a War at the Ends of the Earth. New York: Penguin RandomHouse, 2014. https://www.penguinrandomhouse.com/books/311164/the-way-of-the-knife-by-mark-mazzetti/.

McCarthy, Kieren. “Cybersecurity Giant FireEye Says It Was Hacked by Govt-Backed Spies Who Stole Its Crown-Jewels Hacking Tools.” The Register, December 9, 2020. https://www.theregister.com/2020/12/09/fireeye_tools_hacked/.

McCarthy, Tom. “Zuckerberg Says Facebook Won’t Be ‘arbiters of Truth’ after Trump Threat.” the Guardian, May 29, 2020. http://www.theguardian.com/technology/2020/may/28/zuckerberg-facebook-police-online-speech-trump.

McDonald, Avril. “Defining the War on Terror and Status of Detainees: Comments on the Presentation of Judge George Aldrich - ICRC.” Humanitäres Völkerrecht. 1, 14:16:41.0. https://www.icrc.org/en/doc/resources/documents/article/other/5p8avk.htm.

McDonald, Matt. “Securitization and the Construction of Security.” European Journal of International Relations 14, no. 4 (December 2008): 563–87. https://doi.org/10.1177/1354066108097553.

McGinnis, Shelley E. “Dallas, Roswell, Area 51: A Social History of American ‘Conspiracy Tourism.’” University of North Carolina, 2010.

McGowan, Michael. “How the Wellness and Influencer Crowd Serve Conspiracies to the Masses.” the Guardian, February 24, 2021. http://www.theguardian.com/australia-news/2021/feb/25/how-the-wellness-and-influencer-crowd-served-conspiracies-to-the-masses.

McGuinness, Damien. “How a Cyber Attack Transformed Estonia.” BBC News, April 27, 2017, sec. Europe. https://www.bbc.com/news/39655415.

McHugh, Kevin J., Lihong Jing, Sean Y. Severt, Mache Cruz, Morteza Sarmadi, Hapuarachchige Surangi N. Jayawardena, Collin F. Perkinson, et al. “Biocompatible Near-Infrared Quantum Dots Delivered to the Skin by Microneedle Patches Record Vaccination.” Science Translational Medicine 11, no. 523 (December 18, 2019). https://doi.org/10.1126/scitranslmed.aay7162.

McInnes, Colin, and Simon Rushton. “HIV/AIDS and Securitization Theory.” European Journal of International Relations 19, no. 1 (March 1, 2013): 115–38. https://doi.org/10.1177/1354066111425258.

Bibliography

298

Médecins Sans Frontières. “Médecins Sans Frontières (MSF) International.” Médecins Sans Frontières (MSF) International, 2021. https://www.msf.org/.

Meleshevich, Kirill, and Bret Schafer. “Online Information Laundering: The Role of Social Media.” Alliance For Securing Democracy (blog), January 9, 2018. https://securingdemocracy.gmfus.org/online-information-laundering-the-role-of-social-media/.

Merutka, Craig E. “Use of the Armed Forces for Domestic Law Enforcement:” Fort Belvoir, VA: Defense Technical Information Center, March 1, 2013. https://doi.org/10.21236/ADA589451.

Meyer, David S. “Framing National Security: Elite Public Discourse on Nuclear Weapons during the Cold War.” Political Communication 12, no. 2 (April 1, 1995): 173–92. https://doi.org/10.1080/10584609.1995.9963064.

MI5. “Klaus Fuchs | MI5 - The Security Service.” Security Service | MI5, 2020. https://www.mi5.gov.uk/klaus-fuchs.

Microsoft Security Response Center. “MSRC | Our Mission.” Microsoft, 2021. https://www.microsoft.com/en-us/msrc/mission.

Miller, Daniel. “The Weakest Link: The Role of Human Error in Cybersecurity.” Secure World Expo, January 14, 2018. https://www.secureworldexpo.com/industry-news/weakest-link-human-error-in-cybersecurity.

Mills, Elinor. “Shared Code Indicates Flame, Stuxnet Creators Worked Together.” CNET, June 11, 2012. https://www.cnet.com/news/shared-code-indicates-flame-stuxnet-creators-worked-together/.

Milman, Oliver. “James Hansen, Father of Climate Change Awareness, Calls Paris Talks ‘a Fraud.’” the Guardian, December 12, 2015. http://www.theguardian.com/environment/2015/dec/12/james-hansen-climate-change-paris-talks-fraud.

———. “Paris Climate Deal a ‘turning Point’ in Global Warming Fight, Obama Says.” the Guardian, October 5, 2016. http://www.theguardian.com/environment/2016/oct/05/obama-paris-climate-deal-ratification.

Ministry of Defence. “Defence in a Competitive Age.” The APS Group, 2021. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/971859/_CP_411__-_Defence_in_a_competitive_age.pdf.

Ministry of Defence, Government Offices of Sweden. “Main Elements of the Government Bill Totalförsvaret 2021–2025: Total Defence 2021-2025,” October 15, 2020. https://www.government.se/government-policy/defence/objectives-for-swedish-total-defence-2021-2025---government-bill-totalforsvaret-20212025/.

Miranda, Cristina. “Buying an Internet-Connected Smart Toy? Read This.” Consumer Information, December 6, 2018. https://www.consumer.ftc.gov/blog/2018/12/buying-internet-connected-smart-toy-read.

Mudrinich, Erik M. “Cyber 3.0: The Department of Defense Strategy for Operating in Cyberspace and the Attribution Problem.” Air Force Law Review 68 (2012): 167–206.

Mueller, Robert S. United States of America v. Internet Research Agency LLC, No. 1:18-cr-00032-DLF (United States District Court for the District of Columbia 2018).

Munro, Kate. “Deconstructing Flame: The Limitations of Traditional Defences.” Computer Fraud & Security 2012 (October 1, 2012): 8–11. https://doi.org/10.1016/S1361-3723(12)70102-1.

Murray, Stephanie. “Putin: I Wanted Trump to Win the Election.” Politico, July 16, 2018. https://www.politico.com/story/2018/07/16/putin-trump-win-election-2016-722486.

Myers, Norman. “Environment and Security.” Foreign Policy, no. 74 (1989): 23–41. https://doi.org/10.2307/1148850.


299

Myndigheten för samhällsskydd och beredskap. “Countering information influence activities : A handbook for communicators.” Myndigheten för samhällsskydd och beredskap, 2018. https://www.msb.se/sv/publikationer/countering-information-influence-activities--a-handbook-for-communicators/.

———. “MSB i Almedalen: Frukostseminarium Om Informationspåverkan.” Myndigheten för samhällsskydd och beredskap, January 26, 2019. https://web.archive.org/web/20190126040104/https://www.msb.se/sv/Om-MSB/Nyheter-och-press/Nyheter/Nyheter-fran-MSB/MSB-i-Almedalen-Frukostseminarium-om-informationspaverkan/.

———. “Om Krisen Eller Kriget Kommer (Whether the Crisis or War is Coming).” Myndigheten för samhällsskydd och beredskap, 2018. https://perma.cc/4PHH-ZCQG.

Nabe, Cedric. “Impact of COVID-19 on Cybersecurity.” Deloitte Switzerland, December 15, 2020. https://www2.deloitte.com/ch/en/pages/risk/articles/impact-covid-cybersecurity.html.

Nagaraja, Shishir, and Ross Anderson. “The Snooping Dragon: Social-Malware Surveillance of the Tibetan Movement.” Technical Report. Cambridge: University of Cambridge, 2009. https://web.archive.org/web/20130122081850/http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf.

Nagasako, Tomoko. “Global Disinformation Campaigns and Legal Challenges.” International Cybersecurity Law Review 1, no. 1 (October 1, 2020): 125–36. https://doi.org/10.1365/s43439-020-00010-7.

Nakashima, Ellen. “US and Israel Credited with Shooting Iran down in Flame.” The Sydney Morning Herald, June 20, 2012. https://www.smh.com.au/technology/us-and-israel-credited-with-shooting-iran-down-in-flame-20120620-20ok3.html.

———. “Why the Sony Hack Drew an Unprecedented U.S. Response against North Korea.” Washington Post, January 15, 2015, sec. National Security. https://www.washingtonpost.com/world/national-security/why-the-sony-hack-drew-an-unprecedented-us-response-against-north-korea/2015/01/14/679185d4-9a63-11e4-96cc-e858eba91ced_story.html.

Nakashima, Ellen, and Joby Warrick. “Stuxnet Was Work of U.S. and Israeli Experts, Officials Say.” Washington Post, June 2, 2012, sec. National Security. https://www.washingtonpost.com/world/national-security/stuxnet-was-work-of-us-and-israeli-experts-officials-say/2012/06/01/gJQAlnEy6U_story.html.

National Cyber Security Centre. “All Products & Services.” National Cyber Security Centre, 2021. https://www.ncsc.gov.uk/section/products-services/all-products-services-categories.

———. “Cyber Aware.” Cyber Aware, 2021. https://www.ncsc.gov.uk/cyberaware/home. ———. “Mitigating Malware and Ransomware Attacks.” National Cyber Security Centre, March

30, 2021. https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks.

———. “Most Hacked Passwords Revealed as UK Cyber Survey Exposes Gaps in Online Security.” National Cyber Security Centre, April 21, 2019. https://www.ncsc.gov.uk/news/most-hacked-passwords-revealed-as-uk-cyber-survey-exposes-gaps-in-online-security.

———. “NCSC CAF Guidance.” National Cyber Security Centre, 2021. https://www.ncsc.gov.uk/section/private-sector-cni/products-services.

———. “Reporting a Cyber Security Incident.” National Cyber Security Centre, 2021. https://report.ncsc.gov.uk/.

———. “The National Cyber Security Centre.” The National Cyber Security Centre, 2021. https://www.ncsc.gov.uk/.

NATO CCDCOE. “CCDCOE to Host the Tallinn Manual 3.0 Process.” CCDCOE, 2020. https://ccdcoe.org/news/2020/ccdcoe-to-host-the-tallinn-manual-3-0-process/.

Bibliography

300

———. “Strategic Importance of, and Dependence on, Undersea Cables.” Tallinn: NATO Cooperative Cyber Defence Centre of Excellence, 219AD.

NATO News. “NATO News: NATO Opens New Centre of Excellence on Cyber Defence.” NATO News, 2008. https://www.nato.int/docu/update/2008/05-may/e0514a.html.

N.C. “Conspiracy Theories Are Dangerous—Here’s How to Crush Them.” The Economist, August 12, 2019. https://www.economist.com/open-future/2019/08/12/conspiracy-theories-are-dangerous-heres-how-to-crush-them.

Neal, David. “Insider Reveals Details of Google Hacks.” iTnews, April 21, 2010. https://www.itnews.com.au/news/insider-reveals-details-of-google-hacks-172661.

Newman, Lily Hay. “DarkSide Ransomware Hit Colonial Pipeline—and Created an Unholy Mess.” Wired. Accessed July 3, 2021. https://www.wired.com/story/darkside-ransomware-colonial-pipeline-response/.

———. “How Leaked NSA Spy Tool ‘EternalBlue’ Became a Hacker Favorite.” Wired, March 7, 2018. https://www.wired.com/story/eternalblue-leaked-nsa-spy-tool-hacked-world/.

———. “What Really Caused Facebook’s 500M-User Data Leak?” Wired, April 6, 2021. https://www.wired.com/story/facebook-data-leak-500-million-users-phone-numbers/.

Nicas, Jack, and Katie Benner. “F.B.I. Asks Apple to Help Unlock Two IPhones.” The New York Times, January 7, 2020, sec. Technology. https://www.nytimes.com/2020/01/07/technology/apple-fbi-iphone-encryption.html.

Nish, Adrian, Saher Naumaan, and James Muir. “Enduring Cyber Threats and Emerging Challenges to the Financial Sector.” Carnegie Endowment for International Peace, 2020. https://carnegieendowment.org/2020/11/18/enduring-cyber-threats-and-emerging-challenges-to-financial-sector-pub-83239.

Nolan, Tom. “Militarization Has Fostered a Policing Culture That Sets up Protesters as ‘the Enemy.’” The Conversation, June 2, 2020. http://theconversation.com/militarization-has-fostered-a-policing-culture-that-sets-up-protesters-as-the-enemy-139727.

Norton. “What Is A Botnet?” Norton, 2019. https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html.

———. “What Is the Difference Between Black, White and Grey Hat Hackers?” Norton, 2017. https://us.norton.com/internetsecurity-emerging-threats-what-is-the-difference-between-black-white-and-grey-hat-hackers.html.

Nossiter, Adam, David E. Sanger, and Nicole Perlroth. “Hackers Came, but the French Were Prepared.” The New York Times, May 10, 2017, sec. World. https://www.nytimes.com/2017/05/09/world/europe/hackers-came-but-the-french-were-prepared.html.

Nowakowski, Lauren. “The Moon Landing: Fake Movie Set or the Real Deal?” The Psychology of Extraordinary Beliefs, March 29, 2019. https://u.osu.edu/vanzandt/2019/03/.

NPR Staff. “Cyber Archaeologists Rebuild Destroyed Artifacts.” NPR.org, June 1, 2015. https://www.npr.org/sections/alltechconsidered/2015/06/01/411138497/cyber-archaeologists-rebuild-destroyed-artifacts.

Nye Jr., Joseph S. “Deterrence and Dissuasion in Cyberspace.” International Security 41, no. 3 (January 2017): 44–71. https://doi.org/10.1162/ISEC_a_00266.

Nyman, Joanna. “Securitization Theory.” In Critical Approaches to Security: An Introduction to Theories and Methods, edited by Laura J. Shepherd, 51–62. Oxon: Routledge, 2013.

Obama, Barack. The Atlantic Daily: Our Interview With Barack Obama. Interview by Caroline Mimbs Nyce, November 17, 2020. https://www.theatlantic.com/newsletters/archive/2020/11/why-obama-fears-for-our-democracy/617121/.

O’Connor, Courteney J. “Cyber Counterintelligence: Concept, Actors, and Implications for Security.” In Cyber Security and Policy: A Substantive Dialogue, edited by Andrew Colarik, Julian


301

Jang-Jaccard, and Anuradha Mathrani, 109–28. Palmerston North: Massey University Press, 2017.

OECD. “Combatting COVID-19 Disinformation on Online Platforms,” July 3, 2020. https://www.oecd.org/coronavirus/policy-responses/combatting-covid-19-disinformation-on-online-platforms-d854ec48/.

———. “Trust in Government - OECD.” OECD, 2021. https://www.oecd.org/gov/trust-in-government.htm.

Office of the Director of National Intelligence. “Assessing Russian Activities and Intentions in Recent US Elections.” National Intelligence Council, January 6, 2017. https://www.dni.gov/files/documents/ICA_2017_01.pdf.

Omnicore. “Facebook by the Numbers (2021): Stats, Demographics & Fun Facts,” January 6, 2021. http://www.omnicoreagency.com/facebook-statistics/.

———. “Twitter by the Numbers (2021): Stats, Demographics & Fun Facts,” January 6, 2021. http://www.omnicoreagency.com/twitter-statistics/.

Osborn, Kris. “Shock and Awe: How the First Gulf War Shook the World.” Text. The National Interest. The Center for the National Interest, October 31, 2020. https://nationalinterest.org/blog/reboot/shock-and-awe-how-first-gulf-war-shook-world-171659.

Osborne, Charlie. “Ancient Moonlight Maze Backdoor Remerges as Modern APT.” ZDNet, April 3, 2017. https://www.zdnet.com/article/ancient-moonlight-maze-backdoor-remerges-as-modern-apt/.

O’Sullivan, Donie. “Facebook: Russian Trolls Are Back. And They’re Here to Meddle with 2020.” CNN, October 22, 2019. https://www.cnn.com/2019/10/21/tech/russia-instagram-accounts-2020-election/index.html.

Otis, Cindy. True or False: A CIA Analyst’s Guide to Spotting Fake News. New York: Feiwel and Friends, 2020.

Ottis, Rain. “Analysis of the 2007 Cyber Attacks against Estonia from the Information Warfare Perspective.” Tallinn: NATO Cooperative Cyber Defence Centre of Excellence, 2008. https://ccdcoe.org/library/publications/analysis-of-the-2007-cyber-attacks-against-estonia-from-the-information-warfare-perspective/.

Oxford Dictionary. “Discourse| Definition of Discourse by Oxford Dictionary.” Lexico Dictionaries | English, 2021. https://www.lexico.com/definition/discourse.

Pangalos, Philip. “Russia Denies Claims of Involvement in Malaysia Airlines MH17 Crash.” euronews, June 19, 2019. https://www.euronews.com/2019/06/19/russia-denies-claims-of-involvement-in-malaysia-airlines-mh17-crash.

Pankov, Nikolay. “Moonlight Maze: Lessons from History.” Kaspersky Daily, April 3, 2017. https://www.kaspersky.com.au/blog/moonlight-maze-the-lessons/6713/.

Parker, Martin. “Human Science as Conspiracy Theory.” The Sociological Review 48, no. 2 (2000): 191–207.

Patomaki, Heikki. “Absenting the Absence of Future Dangers and Structural Transformations in Securitization Theory.” International Relations 29, no. 1 (2015): 128–36.

Paul, T. V., James J. Wirtz, and Michel Fortmann. Balance of Power: Theory and Practice in the 21st Century. Stanford University Press, 2004.

Pawlyk, Oriana, and Phillip Swarts. “25 Years Later: What We Learned from Desert Storm.” Air Force Times, August 7, 2017. https://www.airforcetimes.com/news/your-air-force/2016/01/21/25-years-later-what-we-learned-from-desert-storm/.

Paz, Christian. “All of Trump’s Lies About the Coronavirus - The Atlantic.” The Atlantic, November 2, 2020. https://www.theatlantic.com/politics/archive/2020/11/trumps-lies-about-coronavirus/608647/.

Bibliography

302

Pearce, Fred. “As Climate Change Worsens, A Cascade of Tipping Points Looms.” Yale E360, December 5, 2019. https://e360.yale.edu/features/as-climate-changes-worsens-a-cascade-of-tipping-points-looms.

Peoples, Columba, and Nick Vaughan-Williams. “Introduction.” In Critical Security Studies: An Introduction, 2nd ed., 1–12. New York: Routledge, 2015.

Perley, Sara. “Arcana Imperii: Roman Political Intelligence, Counterintelligence, and Covert Action in the Mid-Republic.” The Australian National University, 2016.

Perlroth, Nicole. “Russian Hackers Who Targeted Clinton Appear to Attack France’s Macron.” The New York Times, April 25, 2017, sec. World. https://www.nytimes.com/2017/04/24/world/europe/macron-russian-hacking.html.

Pew Research Center. “Facts on News Media and Political Polarization in Sweden.” Pew Research Center’s Global Attitudes Project (blog), May 17, 2018. https://www.pewresearch.org/global/fact-sheet/news-media-and-political-attitudes-in-sweden/.

———. “Public Trust in Government: 1958-2021.” Pew Research Center - U.S. Politics & Policy (blog), May 17, 2021. https://www.pewresearch.org/politics/2021/05/17/public-trust-in-government-1958-2021/.

Pilkington, Ed. “Jeremy Hammond: FBI Directed My Attacks on Foreign Government Sites.” the Guardian, November 15, 2013. http://www.theguardian.com/world/2013/nov/15/jeremy-hammond-fbi-directed-attacks-foreign-government.

Polyakova, Alina. “The Kremlin’s Plot Against Democracy.” Foreign Affairs, 2020. https://www.foreignaffairs.com/articles/russian-federation/2020-08-11/putin-kremlins-plot-against-democracy.

Polyakova, Alina, and Daniel Fried. “Democratic Defense against Disinformation 2.0.” Report. Atlantic Council, June 9, 2019. https://apo.org.au/node/242041.

Popescul, Daniela, and Mircea Georgescu. “Internet of Things - Some Ethical Issues.” The USV Annals of Economics and Public Administration 13, no. 2 (2013): 7.

Posetti, Julie, and Alice Matthews. “A Short Guide to the History of ’fake News’ and Disinformation.” International Center for Journalists, 2018. https://www.icfj.org/sites/default/files/2018-07/A%20Short%20Guide%20to%20History%20of%20Fake%20News%20and%20Disinformation_ICFJ%20Final.pdf.

Prochko, Veronika. “The International Legal View of Espionage.” E-International Relations (blog), March 30, 2018. https://www.e-ir.info/2018/03/30/the-international-legal-view-of-espionage/.

Prunckun, Hank. Counterintelligence Theory and Practice. 2nd ed. Lanham: Rowman & LIttlefield Publishers, 2019. https://rowman.com/ISBN/9781786606884/Counterintelligence-Theory-and-Practice-Second-Edition.

PsyMetrics. “The OCEAN Profile.” PsyMetrics, 2013. https://www.psymetricsworld.com/ocean.html.

Putnam, Patrick. “Script Kiddie: Unskilled Amateur or Dangerous Hackers?” United States Cybersecurity Magazine, September 14, 2018. https://www.uscybersecurity.net/script-kiddie/.

Radsan, A John. “The Unresolved Equation of Espionage and International Law.” Michigan Journal of International Law 28, no. 3 (2007): 595–623.

Ragan, Steve. “Raising Awareness Quickly: The EBay Data Breach.” CSO Online, May 21, 2014. https://www.csoonline.com/article/2157782/security-awareness-raising-awareness-quickly-the-ebay-database-compromise.html.

Ranker. “22 Celebs Who Are Saving the Environment.” Ranker, May 31, 2019. https://www.ranker.com/list/celebrity-environmentalists/celebrity-lists.


303

Redmond, Paul J. “The Challenges of Counterintelligence.” In Intelligence: The Secret World of Spies, edited by Loch K. Johnson and James J. Wirtz, 3rd ed., 295–306. New York: Oxford University Press, 2011.

Reed, Alastair. “Counter-Terrorism Strategic Communications: Back to the Future, Lessons from Past and Present.” The International Centre for Counter-Terrorism, July 4, 2017. https://icct.nl/publication/counter-terrorism-strategic-communications-back-to-the-future-lessons-from-past-and-present/.

———. “IS Propaganda: Should We Counter the Narrative?” The International Centre for Counter-Terrorism, March 17, 2017. https://icct.nl/publication/is-propaganda-should-we-counter-the-narrative/.

Reserve Bank of Australia. “The Global Financial Crisis | Explainer | Education.” Reserve Bank of Australia, April 17, 2019. Australia. https://www.rba.gov.au/education/resources/explainers/the-global-financial-crisis.html.

Reus-Smit, Christian. “Constructivism.” In Theories of International Relations, 5th ed., 217–40. New York: Palgrave Macmillan, 2013.

Reuters. “Australian State Violated Human Rights in COVID Lockdown-Report.” Reuters, December 17, 2020. https://www.reuters.com/article/health-coronavirus-australia-towers-idUSKBN28R0EC.

Reuters in Berlin. “NSA Tapped German Chancellery for Decades, WikiLeaks Claims.” the Guardian, July 8, 2015. http://www.theguardian.com/us-news/2015/jul/08/nsa-tapped-german-chancellery-decades-wikileaks-claims-merkel.

Reuters Staff. “Factbox: ‘Fake News’ Laws around the World.” Reuters, April 2, 2019. https://www.reuters.com/article/us-singapore-politics-fakenews-factbox-idUSKCN1RE0XN.

———. “False Claim: 5G Networks Are Making People Sick, Not Coronavirus.” Reuters, March 16, 2020. https://www.reuters.com/article/uk-factcheck-coronavirus-5g-idUSKBN2133TI.

———. “JPMorgan Hack Exposed Data of 83 Million, among Biggest Breaches in History.” Reuters, October 2, 2014. https://www.reuters.com/article/us-jpmorgan-cybersecurity-idUSKCN0HR23T20141002.

Rid, Thomas. Active Measures: The Secret History of Disinformation and Political Warfare. London: Profile Books, 2020.

———. Cyber War Will Not Take Place. London: Hurst, 2013. Rid, Thomas, and Ben Buchanan. “Hacking Democracy.” SAIS Review of International Affairs 38,

no. 1 (2018): 3–16. https://doi.org/10.1353/sais.2018.0001. Riedel, Bruce. “30 Years after Our ‘Endless Wars’ in the Middle East Began, Still No End in Sight.”

Brookings (blog), July 27, 2020. https://www.brookings.edu/blog/order-from-chaos/2020/07/27/30-years-after-our-endless-wars-in-the-middle-east-began-still-no-end-in-sight/.

Rietjens, Sebastiaan. “Unraveling Disinformation: The Case of Malaysia Airlines Flight MH17.” The International Journal of Intelligence, Security, and Public Affairs 21, no. 3 (September 2, 2019): 195–218. https://doi.org/10.1080/23800992.2019.1695666.

Riley, K. Jack, and Aaron C. Davenport. “How to Reform Military Gear Transfers to Police.” RAND Corporation, July 13, 2020. https://www.rand.org/blog/2020/07/how-to-reform-military-gear-transfers-to-police.html.

Robarge, David. “‘Cunning Passages, Contrived Corridors’: Wandering in the Angletonian Wilderness.” Studies in Intelligence 53, no. 4 (2009): 49–61.

———. “Moles, Defectors, and Deceptions: James Angleton and CIA Counterintelligence.” Journal of Intelligence History 3, no. 2 (December 2003): 21–49. https://doi.org/10.1080/16161262.2003.10555085.

Bibliography

304

Romero, Simon. “Fauci Pushes Back against Trump for Misrepresenting His Stance on Masks.” The New York Times, October 1, 2020, sec. World. https://www.nytimes.com/2020/10/01/world/fauci-pushes-back-against-trump-for-misrepresenting-his-stance-on-masks.html.

Romerstein, Herbert. “Disinformation as a KGB Weapon in the Cold War.” Journal of Intelligence History 1, no. 1 (June 2001): 54–67. https://doi.org/10.1080/16161262.2001.10555046.

Roth, Yoel, and Ashita Achuthan. “Building Rules in Public: Our Approach to Synthetic & Manipulated Media.” Twitter, February 4, 2020. https://blog.twitter.com/en_us/topics/company/2020/new-approach-to-synthetic-and-manipulated-media.html.

Roth, Yoel, and Nick Pickles. “Updating Our Approach to Misleading Information.” Twitter, May 11, 2020. https://blog.twitter.com/en_us/topics/product/2020/updating-our-approach-to-misleading-information.html.

Rumsfeld, Donald. “Defense.Gov Transcript: DoD News Briefing - Secretary Rumsfeld and Gen. Myers.” U.S. Department of Defense, February 12, 2002. https://web.archive.org/web/20190428122842/https://archive.defense.gov/Transcripts/Transcript.aspx?TranscriptID=2636.

Runyon, Jennifer. “60 Minutes Investigates Chinese Cyber-Espionage in Wind Industry.” Renewable Energy World (blog), January 18, 2016. https://www.renewableenergyworld.com/wind-power/60-minutes-investigates-chinese-cyber-espionage-in-wind-industry/.

Ruser, Nathan. “Strava Released Their Global Heatmap.” Twitter, January 28, 2018. https://twitter.com/Nrg8000/status/957318498102865920.

Rushe, Dominic. “JP Morgan Chase Reveals Massive Data Breach Affecting 76m Households.” the Guardian, October 3, 2014. http://www.theguardian.com/business/2014/oct/02/jp-morgan-76m-households-affected-data-breach.

Russell, Jon. “Fitness App Strava Exposes the Location of Military Bases.” TechCrunch (blog), January 29, 2018. https://social.techcrunch.com/2018/01/28/strava-exposes-military-bases/.

Rust, John, and Susan Golombok. Modern Psychometrics: The Science of Psychological Assessment. New York: Routledge, 2009. https://www.routledge.com/Modern-Psychometrics-The-Science-of-Psychological-Assessment/Rust-Golombok/p/book/9780415442152.

Salter, Mark B., and Can E. Mutlu. “Securitisation and Diego Garcia.” Review of International Studies 39, no. 4 (October 2013): 815–34. http://dx.doi.org/10.1017/S0260210512000587.

Sanger, David E. “Obama Order Sped Up Wave of Cyberattacks Against Iran.” The New York Times, June 1, 2012, sec. World. https://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html.

Sanger, David E., and Nicole Perlroth. “FireEye, a Top Cybersecurity Firm, Says It Was Hacked by a Nation-State.” The New York Times, December 8, 2020, sec. Technology. https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html.

Satter, Raphael, Jeff Donn, and Chad Day. “Inside Story: How Russians Hacked the Democrats’ Emails.” AP NEWS, November 4, 2017. https://apnews.com/article/hillary-clinton-phishing-moscow-russia-only-on-ap-dea73efc01594839957c3c9a6c962b8a.

Schadlow, Nadia, and Brayden Helwig. “Protecting Undersea Cables Must Be Made a National Security Priority.” Defense News, July 1, 2020. https://www.defensenews.com/opinion/commentary/2020/07/01/protecting-undersea-cables-must-be-made-a-national-security-priority/.

Schmitt, Michael N., ed. Tallinn Manual on the International Law Applicable to Cyber Warfare. Tallinn Manual 1. Cambridge: Cambridge University Press, 2013. https://www.cambridge.org/au/academic/subjects/law/humanitarian-law/tallinn-


305

manual-international-law-applicable-cyber-warfare, https://www.cambridge.org/au/academic/subjects/law/humanitarian-law.

Schmitt, Michael N., and Liis Vihul. “Proxy Wars in Cyberspace: The Evolving International Law of Attribution Policy.” Fletcher Security Review 1, no. 2 (2014): 53–72.

———, eds. Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. Tallinn Manual 2. Cambridge: Cambridge University Press, 2017. https://www.cambridge.org/au/academic/subjects/law/humanitarian-law/tallinn-manual-20-international-law-applicable-cyber-operations-2nd-edition, https://www.cambridge.org/au/academic/subjects/law/humanitarian-law.

Schmitt, Olivier. “When Are Strategic Narratives Effective? The Shaping of Political Discourse through the Interaction between Political Myths and Strategic Narratives.” Contemporary Security Policy 39, no. 4 (October 2, 2018): 487–511. https://doi.org/10.1080/13523260.2018.1448925.

Schmitz, Aldo Antonio, and Francisco Jose Castilhos Karam. “The Spin Doctors of News Sources.” Brazilian Journalism Research 9, no. 1 (2013): 96–113.

Schroeder, Ralph. “Even in Sweden?: Misinformation and Elections in the New Media Landscape.” Nordic Journal of Media Studies 2, no. 1 (June 7, 2020): 97–108. https://doi.org/10.2478/njms-2020-0009.

Scott. “In Race for Coronavirus Vaccine, Russia Turns to Disinformation.” POLITICO, November 19, 2020. https://www.politico.eu/article/covid-vaccine-disinformation-russia/.

Scott, Cory. “Protecting Our Members.” LinkedIn, May 18, 2016. https://blog.linkedin.com/2016/05/18/protecting-our-members.

Scott, Mark, and Carlo Martuscelli. “Meet Sputnik V, Russia’s Trash-Talking Coronavirus Vaccine.” Politico, April 1, 2021. https://www.politico.eu/article/russia-coronavirus-vaccine-disinformation-sputnik/.

Searle, John R. “A Taxonomy of Illocutionary Acts.” Minnesota Studies in the Philosophy of Science 7 (1975): 344–69.

Seebeck, Lesley. “Why the Fifth Domain Is Different.” The Strategist, September 4, 2019. https://www.aspistrategist.org.au/why-the-fifth-domain-is-different/.

SelfKey. “Facebook’s Data Breaches - A Timeline.” SelfKey (blog), March 11, 2020. https://selfkey.org/facebooks-data-breaches-a-timeline/.

Selgelid, Michael J., and Christian Enemark. “Infectious Diseases, Security and Ethics: The Case of Hiv/Aids.” Bioethics 22, no. 9 (2008): 457–65. https://doi.org/10.1111/j.1467-8519.2008.00696.x.

Senate Select Committee on Intelligence. “Report of the Select Committee on Intelligence United States Senate on Russian Active Measures Campaigns and Interference in the 2016 U.S. Election Volume 2: Russia’s Use of Social Media With Additional Views.” Russian Active Measures Campaigns and Interfernece in the 2016 U.S. Elections. Washington, D.C.: United States Senate, 2019. https://www.intelligence.senate.gov/sites/default/files/documents/Report_Volume2.pdf.

———. “S. Hrg. 115-105 Russian Intervention in European Elections.” U.S. Senate Select Committee on Intelligence, June 28, 2017. https://www.intelligence.senate.gov/hearings/open-hearing-russian-intervention-european-elections#.

Sengupta, Kim. “The Final WhatsApp Message Sent by Westminster Attacker Khalid Masood Has Been Released by Security Agencies.” The Independent, April 28, 2017. https://www.independent.co.uk/news/uk/crime/last-message-left-westminster-attacker-khalid-masood-uncovered-security-agencies-a7706561.html.

Bibliography

306

Shackelford, Scott. “The Battle against Disinformation Is Global.” The Conversation. Accessed May 22, 2021. http://theconversation.com/the-battle-against-disinformation-is-global-129212.

Shearer, Elisa. “Social Media Outpaces Print Newspapers in the U.S. as a News Source.” Pew Research Center (blog), December 10, 2018. https://www.pewresearch.org/fact-tank/2018/12/10/social-media-outpaces-print-newspapers-in-the-u-s-as-a-news-source/.

Sheldon, Rose Mary. “A Guide to Intelligence from Antiquity to Rome.” The Intelligencer 18, no. 3 (2011): 49–51.

———. “Caesar, Intelligence, and Ancient Britain.” International Journal of Intelligence and CounterIntelligence 15, no. 1 (January 2002): 77–100. https://doi.org/10.1080/088506002753412892.

Sienkiewicz, Matt. “Open BUK: Digital Labor, Media Investigation and the Downing of MH17.” Critical Studies in Media Communication 32, no. 3 (May 27, 2015): 208–23. https://doi.org/10.1080/15295036.2015.1050427.

Sigholm, J., and M. Bang. “Towards Offensive Cyber Counterintelligence: Adopting a Target-Centric View on Advanced Persistent Threats.” In 2013 European Intelligence and Security Informatics Conference, 166–71. IEEE Computer Society, 2013. https://doi.org/10.1109/EISIC.2013.37.

Sjöstedt, Roxanna. “Exploring the Construction of Threats: The Securitization of HIV/AIDS in Russia.” Security Dialogue 39, no. 1 (March 1, 2008): 7–29. https://doi.org/10.1177/0967010607086821.

Smith, Gavin, and Valeska Bloch. “The Hack Back: The Legality of Retaliatory Hacking.” Allens: Insight, October 17, 2018. https://www.allens.com.au/insights-news/insights/2018/10/pulse-the-hack-back-the-legality-of-retaliatory-hacking/.

Smith, Hugh. “The Use of Armed Forces in Law Enforcement: Legal, Constitutional and Political Issues in Australia.” Australian Journal of Political Science 33, no. 2 (July 1998): 219–33. https://doi.org/10.1080/10361149850624.

Smith, Michael. The Secrets of Station X: How the Bletchley Park Codebreakers Helped Win the War. Hull: Biteback Publishing, 2011.

Smyczek, Peter J. “Regulating the Battlefield of the Future: The Legal Limitations on the Conduct of Psychological Operations (PSYOP) under Public International Law. - Free Online Library.” Air Force Law Review 57 (2005): 209–40.

Sottek, T. C., and Janus Kopfstein. “Everything You Need to Know about PRISM.” The Verge, July 17, 2013. https://www.theverge.com/2013/7/17/4517480/nsa-spying-prism-surveillance-cheat-sheet.

Spadafora, Anthony. “Hackers Use Covid-19 ‘special Offers’ to Spread Malware.” TechRadar, March 23, 2020. https://www.techradar.com/au/news/hackers-use-covid-19-special-offers-to-spread-malware.

———. “Mirai Botnet Returns to Target IoT Devices.” TechRadar, March 19, 2019. https://www.techradar.com/news/mirai-botnet-returns-to-target-iot-devices.

Spencer, Saranac Hale. “Conspiracy Theory Misinterprets Goals of Gates Foundation.” FactCheck.Org (blog), April 14, 2020. https://www.factcheck.org/2020/04/conspiracy-theory-misinterprets-goals-of-gates-foundation/.

Stanley, Jason. How Propaganda Works. Princeton: Princeton University Press, 2015. Steffek, Jens. “Discursive Legitimation in Environmental Governance | Elsevier Enhanced

Reader.” Forest Policy and Economic 11 (2009): 313–18. https://doi.org/10.1016/j.forpol.2009.04.003.

Steiner, Eva. “Legislating against Terrorism-The French Approach.” Lecture. London: Chatham House, 2005.


307

https://www.chathamhouse.org/sites/default/files/public/Research/International%20Law/ilp081205.doc.

Stelzenmüller, Constanze. “The Impact of Russian Interference on Germany’s 2017 Elections.” Brookings (blog), June 28, 2017. https://www.brookings.edu/testimonies/the-impact-of-russian-interference-on-germanys-2017-elections/.

Stiennon, Richard. “A Short History of Cyber Warfare.” In Cyber Warfare: A Multidisciplinary Analysis, edited by James A. Green, 7–32. Oxon: Routledge, 2015.

Stritzel, Holger. Security in Translation: Securitization Theory and the Localization of Threat. New Security Challenges. New York: Palgrave Macmillan, 2014.

Stritzel, Holger, and Sean C Chang. “Securitization and Counter-Securitization in Afghanistan.” Security Dialogue 46, no. 6 (December 1, 2015): 548–67. https://doi.org/10.1177/0967010615588725.

Strömbäck, Jesper, Yariv Tsfati, Hajo Boomgaarden, Alyt Damstra, Elina Lindgren, Rens Vliegenthart, and Torun Lindholm. “News Media Trust and Its Impact on Media Use: Toward a Framework for Future Research.” Annals of the International Communication Association 44, no. 2 (April 2, 2020): 139–56. https://doi.org/10.1080/23808985.2020.1755338.

Suciu, Peter. “More Americans Are Getting Their News From Social Media.” Forbes, October 11, 2019. https://www.forbes.com/sites/petersuciu/2019/10/11/more-americans-are-getting-their-news-from-social-media/.

Sunawar, Lubna. “Regional Security Complex Theory: A Case Study of Afghanistan-Testing the Alliance.” Journal of Security and Strategic Analyses 4, no. 2 (Winter 2018): 53–78.

Swami, Viren, Jakob Pietschnig, Ulrich S. Tran, Ingo W. Nader, Stefan Stieger, and Martin Voracek. “Lunar Lies: The Impact of Informational Framing and Individual Differences in Shaping Conspiracist Beliefs About the Moon Landings.” Applied Cognitive Psychology 27, no. 1 (2013): 71–80. https://doi.org/10.1002/acp.2873.

Swift, John. “The Soviet-American Arms Race | History Today.” History Today, 2009. https://www.historytoday.com/archive/soviet-american-arms-race.

Sydow, Björn von. “NATO Review - Resilience: Planning for Sweden’s ‘Total Defence.’” NATO Review, April 4, 2018. https://www.nato.int/docu/review/articles/2018/04/04/resilience-planning-for-swedens-total-defence/index.html.

Talbot, id. “How Technology Failed in Iraq.” MIT Technology Review, November 1, 2004. https://www.technologyreview.com/2004/11/01/232152/how-technology-failed-in-iraq/.

Taureck, Rita. “Securitization Theory and Securitization Studies.” Journal of International Relations and Development 9, no. 1 (March 2006): 53–61. http://dx.doi.org.virtual.anu.edu.au/10.1057/palgrave.jird.1800072.

Taylor, Margaret L. “Combating Disinformation and Foreign Interference in Democracies: Lessons from Europe.” Brookings (blog), July 31, 2019. https://www.brookings.edu/blog/techtank/2019/07/31/combating-disinformation-and-foreign-interference-in-democracies-lessons-from-europe/.

Taylor, Stan A. “Definitions and Theories of Counterintelligence.” In Essentials of Strategic Intelligence, edited by Loch K. Johnson, 285–302. Praeger Security International Textbook. Santa Barbara: Praeger, 2015.

Telford, Taylor. “1,464 Western Australian Government Officials Used ‘Password123’ as Their Password. Cool, Cool.” Washington Post, August 23, 2018. https://www.washingtonpost.com/technology/2018/08/22/western-australian-government-officials-used-password-their-password-cool-cool/.

Tenove, Chris, Jordan Buffie, Spencer McKay, and David Moscrop. “Digital Threats to Democratic Elections: How Foreign Actors Use Digital Techniques to Undermine

Bibliography

308

Democracy.” Centre for the Study of Democratic Institutions, 2018. https://www.ssrn.com/abstract=3235819.

The Economist. “The World’s Most Valuable Resource Is No Longer Oil, but Data.” The Economist, May 6, 2017. https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data.

The Guardian Staff. “World Leaders Express Outrage.” The Guardian, September 11, 2001. http://www.theguardian.com/world/2001/sep/11/september11.usa10.

The Irish Times. “London Terror Attack: Who Was Khuram Shazad Butt?” The Irish Times. Accessed May 15, 2021. https://www.irishtimes.com/news/world/uk/london-terror-attack-who-was-khuram-shazad-butt-1.3109174.

The Kurdish Project. “Where Is Kurdistan?” The Kurdish Project (blog), 2021. https://thekurdishproject.org/kurdistan-map/.

The Local. “Russia Spreading Fake News and Forged Docs in Sweden: Report.” The Local Sweden (blog), January 7, 2017. https://www.thelocal.se/20170107/swedish-think-tank-details-russian-disinformation-in-new-study/.

———. “Sweden to Create New Authority Tasked with Countering Disinformation.” The Local Sweden, January 15, 2018. https://www.thelocal.se/20180115/sweden-to-create-new-authority-tasked-with-countering-disinformation/.

Thomas, Elise. “Covid-19 Disinformation Campaigns Shift Focus to Vaccines.” The Strategist, August 23, 2020. https://www.aspistrategist.org.au/covid-19-disinformation-campaigns-shift-focus-to-vaccines/.

Thomas, Elise, and Albert Zhang. “ID2020, Bill Gates and the Mark of the Beast: How Covid-19 Catalyses Existing Online Conspiracy Movements.” Australian Strategic Policy Institute International Cyber Policy Centre, 2020.

Thorsen, Einar. “Journalistic Objectivity Redefined? Wikinews and the Neutral Point of View.” New Media & Society 10, no. 6 (December 1, 2008): 935–54. https://doi.org/10.1177/1461444808096252.

Thorson, Emily. “Belief Echoes: The Persistent Effects of Corrected Misinformation.” Political Communication 33, no. 3 (July 2, 2016): 460–80. https://doi.org/10.1080/10584609.2015.1102187.

Timberg, Craig. “The Real Story of How the Internet Became so Vulnerable.” Washington Post (blog), 2015. http://www.washingtonpost.com/sf/business/2015/05/30/net-of-insecurity-part-1/.

TOR. “The Tor Project | Privacy & Freedom Online.” TOR, 2021. https://torproject.org. Toucas, Boris. “Exploring the Information-Laundering Ecosystem: The Russian Case.” Center for

Strategic & International Studies, August 31, 2017. https://www.csis.org/analysis/exploring-information-laundering-ecosystem-russian-case.

———. “The Macron Leaks: The Defeat of Informational Warfare.” Center for Strategic & International Studies, May 30, 2017. https://www.csis.org/analysis/macron-leaks-defeat-informational-warfare.

Traynor, Ian. “Angela Merkel: NSA Spying on Allies Is Not On.” the Guardian, October 24, 2013. http://www.theguardian.com/world/2013/oct/24/angela-merkel-nsa-spying-allies-not-on.

Trevors, Gregory J., Krista R. Muis, Reinhard Pekrun, Gale M. Sinatra, and Philip H. Winne. “Identity and Epistemic Emotions During Knowledge Revision: A Potential Account for the Backfire Effect.” Discourse Processes 53, no. 5–6 (July 3, 2016): 339–70. https://doi.org/10.1080/0163853X.2015.1136507.

Trump, Donald. “Nevada Is Turning out to Be a Cesspool of Fake Votes. @mschlapp & @AdamLaxalt Are Finding Things That, When Released, Will Be Absolutely Shocking!” Twitter, November 10, 2020.


309

https://web.archive.org/web/20201109195514/https://twitter.com/realdonaldtrump/status/1325889532840062976.

Turner Johnson, James. “Thinking Morally about War in the Middle Ages and Today.” In Ethics, Nationalism, and Just War: Medieval and Contemporary Perspectives, edited by Henrik Syse and Gregory M. Reichberg, 3–10. Washington, D.C.: The Catholic University of America Press, 2007.

UK Public General Acts. “Data Protection Act 2018.” Legislation.gov.uk. Queen’s Printer of Acts of Parliament, 2018. https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted.

UNAIDS. “UNAIDS | United Nations.” United Nations AIDS, 2021. https://www.unaids.org/en/Homepage.

UNFPA. “UNFPA - United Nations Population Fund.” United Nations Population Fund, 2021. https://www.unfpa.org/.

UNICEF. “UNICEF | United Nations.” United Nations Children’s Fund, 2021. https://www.unicef.org/.

United Nations. “Counter-Terrorism Committee.” United Nations Security Council Counter-Terrorism Committee, 2021. https://www.un.org/sc/ctc/.

———. “History of the Question of Palestine.” Question of Palestine (blog), March 19, 2020. https://www.un.org/unispal/history/.

———. “Paris Agreement - Status of Ratification.” United Nations Climate Change, 2016. https://unfccc.int/process/the-paris-agreement/status-of-ratification.

United Nations Institute for Disarmament Research. “The Cyber Index: International Security Trends and Realities.” Geneva: United Nations Institute for Disarmament Research, 2013. https://www.unidir.org/files/publications/pdfs/cyber-index-2013-en-463.pdf.

———. “UNIDIR Cyber Policy Portal.” UNIDIR Cyber Policy Portal, 2021. https://unidir.org/cpp/en/.

United Nations Office for Disarmament Affairs. “Group of Governmental Experts - Cyberspace.” United Nations Office for Disarmament Affairs, 2021. https://www.un.org/disarmament/group-of-governmental-experts/.

United Nations Security Council. “20 Years after Adopting Landmark Anti-Terrorism Resolution, Security Council Resolves to Strengthen International Response against Heinous Acts, in Presidential Statement.” United Nations Meetings Coverage and Press Releases, January 12, 2021. https://www.un.org/press/en/2021/sc14408.doc.htm.

United States Department of Defense. “Department of Defense Strategy for Operating in Cyberspace.” United States Department of Defense, 2011. https://csrc.nist.gov/CSRC/media/Projects/ISPAB/documents/DOD-Strategy-for-Operating-in-Cyberspace.pdf.

United States Department of Homeland Security. “Counterterrorism Laws & Regulations.” Department of Homeland Security, June 4, 2009. https://www.dhs.gov/counterterrorism-laws-regulations.

United States Department of Justice. “The USA PATRIOT Act: Preserving Life and Liberty.” United States Department of Justice, 2001. https://www.justice.gov/archive/ll/highlights.htm.

United States Government. “National Infrastructure Protection Plan | CISA.” Cybersecurity and Infrastructure Security Agency, 2021. https://www.cisa.gov/national-infrastructure-protection-plan.

U.S. Department of Homeland Security. “Homeland Security Digital Library.” Homeland Security Digital Library. Accessed March 20, 2021. https://www.hsdl.org/?search&exact=Senate+Report+on+Russian+Interference+in+2016+Elections&searchfield=series&collection=limited&submitted=Search&advanced=1&release=0&so=date.

Bibliography

310

Uscinski, Joseph E., Karen Douglas, and Stephan Lewandowsky. “Climate Change Conspiracy Theories.” In Oxford Research Encyclopedia of Climate Science. Oxford: Oxford University Press, 2017. https://doi.org/10.1093/acrefore/9780190228620.013.328.

Vaara, Eero. “Struggles over Legitimacy in the Eurozone Crisis: Discursive Legitimation Strategies and Their Ideological Underpinnings.” Discourse & Society 25, no. 4 (July 1, 2014): 500–518. https://doi.org/10.1177/0957926514536962.

Van Wynsberghe, Rob, and Smia Khan. “Redefining Case Study.” International Journal of Qualitative Methods 6, no. 2 (2007): 80–94.

Vardangalos, George. “Cyber-Intelligence and Cyber Counterintelligence (CCI): General Definitions and Principles.” Center for International Strategic Analyses, 2016. https://kedisa.gr/wp-content/uploads/2016/07/Cyber-intelligence-and-Cyber-Counterintelligence-CCI-General-definitions-and-principles-2.pdf.

Varouhakis, Miron. “An Institution-Level Theoretical Approach for Counterintelligence.” International Journal of Intelligence and CounterIntelligence 24, no. 3 (September 2011): 494–509. https://doi.org/10.1080/08850607.2011.568293.

Vazquez, Maegan, and Paul Murphy. “Trump Isn’t the Only Republican Who Gave Cambridge Analytica Big Bucks.” CNN, March 21, 2018. https://www.cnn.com/2018/03/20/politics/cambridge-analytica-republican-ties/index.html.

Ven Der Pijl, Kees. “La Disciplina Del Miedo. La Securitización de Las Relaciones Internacionales Tras El 11-S Desde Una Perspectiva Histórica.” Relaciones Internacionales 31 (2016): 153–87.

Victor, Daniel, Lew Serviss, and Azi Paybarah. “In His Own Words, Trump on the Coronavirus and Masks.” The New York Times, October 2, 2020, sec. U.S. https://www.nytimes.com/2020/10/02/us/politics/donald-trump-masks.html.

Vieira, Marco Antonio. “The Securitization of the HIV/AIDS Epidemic as a Norm: A Contribution to Constructivist Scholarship on the Emergence and Diffusion of International Norms.” Brazilian Political Science Review (Online) 2, no. SE (December 2007): 0–0.

Violino, Bob. “Want to Help Stop Cyber Security Breaches? Focus on Human Error.” ZDNet, January 23, 219AD. https://www.zdnet.com/article/want-to-help-stop-cyber-security-breaches-focus-on-human-error/.

Visit Estonia. “E-Estonia | Why Estonia?” Visitestonia.com, 2021. https://www.visitestonia.com/en/why-estonia/estonia-is-a-digital-society.

Voice of America. “China Denies Any Role in ‘GhostNet’ Computer Hacking | Voice of America - English.” Voice of America, November 2, 2009. https://www.voanews.com/archive/china-denies-any-role-ghostnet-computer-hacking.

Vosoughi, Soroush, Deb Roy, and Sinan Aral. “The Spread of True and False News Online.” Science 359, no. 6380 (March 9, 2018): 1146. https://doi.org/10.1126/science.aap9559.

Vreese, Claes H. de, and Matthijs Elenbaas. “Spin and Political Publicity: Effects on News Coverage and Public Opinion.” In Political Communication in Postmodern Democracy: Challenging the Primacy of Politics, edited by Kees Brants and Katrin Voltmer, 75–91. London: Palgrave Macmillan UK, 2011. https://doi.org/10.1057/9780230294783_5.

Waever, Ole. “Securitisation: Taking Stock of a Research Programme in Security Studies,” 2003. https://docplayer.net/62037981-Securitisation-taking-stock-of-a-research-programme-in-security-studies.html.

Walker, Kent. “Four Steps We’re Taking Today to Fight Terrorism Online.” Google, June 18, 2017. https://blog.google/around-the-globe/google-europe/four-steps-were-taking-today-fight-online-terror/.

Walkowicz, Lucianne. “The Source of UFO Fascination.” Issues in Science and Technology 35, no. 4 (2019): 12–14.


311

Walsh, Nick Paton, Jo Shelley, Eduardo Duwe, and William Bonnett. “Bolsonaro Calls Coronavirus a ‘little Flu.’ Inside Brazil’s Hospitals, Doctors Know the Horrifying Reality.” CNN, May 25, 2020. https://edition.cnn.com/2020/05/23/americas/brazil-coronavirus-hospitals-intl/index.html.

Walton, D.N. “Poisoning the Well.” Argumentation 20, no. 3 (2006): 273–307. https://doi.org/10.1007/s10503-006-9013-z.

Waltz, Kenneth W. Man the State and War: A Theoretical Analysis. 2nd ed. New York: Columbia University Press, 2001.

Watkin, Amy-Louise, and Joe Whittaker. “Evolution of Terrorists’ Use of the Internet.” Text. Counter Terror Business, October 20, 2017. https://counterterrorbusiness.com/features/evolution-terrorists%E2%80%99-use-internet.

Watson, Amy. “Usage of Social Media as a News Source Worldwide 2020.” Statista, June 23, 2020. https://www.statista.com/statistics/718019/social-media-news-source/.

Watson, Scott D. “‘Framing’ the Copenhagen School: Integrating the Literature on Threat Construction.” Millennium: Journal of International Studies 40, no. 2 (January 2012): 279–301. https://doi.org/10.1177/0305829811425889.

Weber, Rolf H. “Internet of Things: Privacy Issues Revisited.” Computer Law & Security Review 31 (2015): 618–27. https://doi.org/10.1016/j.clsr.2015.07.002.

Webman, Esther. The Global Impact of the Protocols of the Elders of Zion: A Century-Old Myth. Florence, United States: Taylor & Francis Group, 2011.

Welch, Craig. “Why Cape Town Is Running Out of Water, and the Cities That Are Next.” Science, March 5, 2018. https://www.nationalgeographic.com/science/article/cape-town-running-out-of-water-drought-taps-shutoff-other-cities.

West, Darrell M. “How to Combat Fake News and Disinformation.” Brookings, December 18, 2017. https://www.brookings.edu/research/how-to-combat-fake-news-and-disinformation/.

Westbrook, Tom. “Joint Strike Fighter Plans Stolen in Australia Cyber Attack.” Reuters, November 10, 2017. https://www.reuters.com/article/us-australia-defence-cyber-idUSKBN1CH00F.

Wetsman, Nicole. “Woman Dies during a Ransomware Attack on a German Hospital.” The Verge, September 17, 2020. https://www.theverge.com/2020/9/17/21443851/death-ransomware-attack-hospital-germany-cybersecurity.

Wettering, Frederick L. “Counterintelligence: The Broken Triad.” International Journal of Intelligence and CounterIntelligence 13, no. 3 (October 2000): 265–300. https://doi.org/10.1080/08850600050140607.

Williams, Martyn. “Inside the Russian Hack of Yahoo: How They Did It.” CSO Online, October 4, 2017. https://www.csoonline.com/article/3180762/inside-the-russian-hack-of-yahoo-how-they-did-it.html.

Williams, Michael C. “Securitization as Political Theory: The Politics of the Extraordinary.” International Relations 29, no. 1 (2015): 114–20.

———. “Words, Images, Enemies: Securitization and International Politics.” International Studies Quarterly 47, no. 4 (December 2003): 511–31. https://doi.org/10.1046/j.0020-8833.2003.00277.x.

Wilson, Mark. “Here Is Facebook’s First Serious Attempt To Fight Fake News.” Fast Company, December 15, 2016. https://www.fastcompany.com/3066630/here-is-facebooks-first-serious-attempt-to-fight-fake-news.

Winder, Davey. “Lockheed Martin, SpaceX And Tesla Caught In Cyber Attack Crossfire.” Forbes, March 2, 2020. https://www.forbes.com/sites/daveywinder/2020/03/02/lockheed-martin-spacex-and-tesla-caught-in-cyber-attack-crossfire/.

Bibliography

312

Windrem, Robert. “Pentagon and Hackers in ‘Cyberwar.’” ZDNet, March 5, 1999. https://www.zdnet.com/article/pentagon-and-hackers-in-cyberwar/.

Winstead, Nicholas. “Hack-Back: Toward A Legal Framework For Cyber Self-Defense.” American University, June 26, 2020. https://www.american.edu/sis/centers/security-technology/hack-back-toward-a-legal-framework-for-cyber-self-defense.cfm.

Wiseman, Geoffrey, and Paul Sharp. “Diplomacy.” In An Introduction to International Relations, edited by Anthony Burke, Jim George, and Richard Devetak, 2nd ed., 256–67. Cambridge: Cambridge University Press, 2011. https://doi.org/10.1017/CBO9781139196598.022.

World Bank Group. “Financial Sector’s Cybersecurity: Regulations and Supervision.” Washington, D.C.: The World Bank Group, 2018.

World Health Organization. “World Health Organization | United Nations.” United Nations World Health Organization, 2021. https://www.who.int.

Wray, Christopher. “Responding Effectively to the Chinese Economic Espionage Threat.” Speech. Federal Bureau of Investigation, February 6, 2020. https://www.fbi.gov/news/speeches/responding-effectively-to-the-chinese-economic-espionage-threat.

Wyn Jones, Richard. Security, Strategy, and Critical Theory. Boulder: Lynne Rienner Publishers, 1999. Yourish, Karen, Larry Buchanan, and Derek Watkins. “A Timeline Showing the Full Scale of

Russia’s Unprecedented Interference in the 2016 Election, and Its Aftermath.” The New York Times, September 20, 2018. https://www.nytimes.com/interactive/2018/09/20/us/politics/russia-trump-election-timeline.html.

Zetter, Kim. “An Unprecedented Look at Stuxnet, the World’s First Digital Weapon.” Wired, November 3, 2014. https://web.archive.org/web/20151207190234/https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/.

———. “Four Indicted in Massive JP Morgan Chase Hack.” Wired, October 10, 2015. https://www.wired.com/2015/11/four-indicted-in-massive-jp-morgan-chase-hack/.

———. “Meet ‘Flame,’ The Massive Spy Malware Infiltrating Iranian Computers.” Wired, May 28, 2012. https://web.archive.org/web/20141014203532/http://www.wired.com/2012/05/flame/all.

———. “Report: Google Hackers Stole Source Code of Global Password System.” Wired, April 20, 2010. https://www.wired.com/2010/04/google-hackers/.

Zimmermann, Kim Ann, and Jesse Emspak. “Internet History Timeline: ARPANET to the World Wide Web.” Live Science, June 27, 2017. https://www.livescience.com/20727-internet-history.html.

Zuboff, Shoshana. The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power. London: Profile Books, 2018.

Zurcher. “Hillary Clinton Emails - What’s It All About?” BBC News, November 6, 2016, sec. US & Canada. https://www.bbc.com/news/world-us-canada-31806907.