The Obama Administration: Cyberspace at a Crossroads

The Obama administration: Cyberspace at a crossroads

Bachelorthesis Political Science
V.U. Amsterdam

Wiebe Zwaan
2503071
Goereesepad 103
1181 EP Amstelveen 27-6-2014

Table of contents

Abstract:pp 3

Introduction:pp 4-6

Theoretical Framework:pp 6-7

Methodology:pp 7-8

Analysis:pp 8-10

Framing Actors:pp 10

The Obama administration’s threat frame:pp 10-14

Countermeasures:pp 15-16

Conclusion:pp 17-18

Bibliography:pp 19-24

Abstract

Cyberspace is an important part of our everyday life. We use the internet to pay our bills, to file our taxes and to shop online for products. Businesses store many of their ‘trade secrets’ and other forms of intellectual property online. Next to that important pieces of a nation’s critical infrastructure nowadays operate by using computers.

When in the early days of the internet there was merely a risk of government owned computer systems being hacked and other risks at the state level, in modern days every part of the internet is at risk. Businesses are being hacked and major economic losses are a part of everyday reality. A governments biggest responsibility is to protect its people and businesses and therefor it has to act on threats. The United States (U.S.) being one of the main actors in this sphere, recent changes in its foreign policy due to the election of president Obama and a changing world (economical) order, combined with the global financial crisis, makes it a very exciting time for ‘cyberspace policies’ in the U.S.. While the government faces new threats and wants to make new laws accordingly, it also has to persuade its people to follow them, still being a democracy. How the Obama administration continues to do so is the question being answered in this thesis.

Introduction

‘Our nation is at a grave risk of a cyberattack that could devastate the national psyche and economy more broadly that did the 9/11 attacks’, as was stated in a letter to President Bush by former White House advisor Richard Clark and more than 50 top computer scientists’ (Clark, 2003).

‘We’ve been watching you systematically destroy the rights of your own people, one law at a time. No longer shall we stand by and watch you enslave our fellow citizens. You have continued down this path of treason by creating acts such as the National Defense Authorization Act, Stop Online Piracy Act, Protect IP Act, and more. You’ve tried to conceal the true purpose of these bills, and pass them without the consent of the American People’, which was written by the Anonymous collective in an open letter to US Congress’ (Anonymous, 2011).

As the quotes show ‘cyberspace’, being defined in the broadest way as the digital world, holds grate risks and affects us all. This risk we call ‘cyber-threats’ and they emerge in the most common and broad definition:

‘[F]rom the malicious use of information and communication technologies (ICT) either as a
target or as a tool by a wide range of malevolent actors’
(Cavelty, 2008, pp 54).

When Obama was elected in 2008 the world called it a historic moment. It was time for a change(Afriprov.org,2014).
Among other things the Iraq war had to be ended, Guantanamo bay had to be closed but also the policy concerning cyberspace was changed strongly. Given the great amount of attention the Obama administration gave and still gives to the topic of cyberspace (CAM, 2014) and the new paths in foreign policy his administration took (Obama, 2009) it is needed to take a close look at these changes. By doing so one can anticipate further moves of the administration in a better way and at the state level, better policy’s possibly can be made to counter or act accordingly to these changes. Of course depending on the foreign policy of that particular state. As is shown above the topic affects us all in a still increasing way, making it also relevant for non-state actors to look into the actions taken by the Obama administration. It is important to know in what way and how the administration affects this greatly public sphere, especially given the fact that at this very day the Obama administration is still holding the office. Combined with the fact that the United States (U.S.) is one of the major actors in the worlds states system (Stivachtis, 2012) and also in cyberspace (Choo, 2011), it becomes apparent that research on the topic is needed and relevant. As the topic moves up national security agendas worldwide, the roles and approaches of the U.S. and the EU in a NATO context intensified. There is great discussion about national initiatives on cooperation among all these states, especially when the U.S. in 2011 presented a new position when Obama issued the first presidential decree on the subject of International Strategy for Cyberspace (The European Institute, 2011). In this document the U.S. made clear that it would regard a cyber-attack with the same gravity as a conventional assault. Quoting the document:
‘[The U.S.] reserves the right to use all necessary means – diplomatic, informational, military
and economic (…) in order to defend our Nation, our allies, our partners and our interests.’
(The Whitehouse, 2011).
Next to that at this point in time only a hand full of scholars really looked into this subject, making it even more important to do more research (Choo, 2011).

This subject however has a longer history.

The debate in the U.S. on this topic, which will be the focus of this research and is part of America’s Grand Strategy for it is part of the National Security Strategy, dates way back to Second World War and was first being discussed in the military sphere. The military was the first to define information technology (IT) as a force enhancer and later on, after the cold war, also saw the threat coming from IT when it became clear that digital classified information was vulnerable or theft and espionage, leading to the forming of the ‘foreign intelligence threat’-framework (Reagan, 1984). This ‘act of speaking’, meaning saying there is certain issue and naming it a problem that needs to be addressed, called the speech act as described by Searle (1969) and Austin (1962), was the first successful ‘securitization’ of a part of cyberspace. The term securitization is in this in this sense defined as the forming of a certain issue into a matter of security, leading to extraordinary countermeasures. During the years following to the forming of the internet, one can see the range and dependency on the internet ‘exploding’, while at the same time a number of important (hacking) events happened, such as the Morris-worm (Moore, 2002) and the Rome Lab incident (Rome Lab, 1996), which have shown us that cyberspace is not only a force enhancer, but can also be perceived as a threat to the (national) security of a state and the people and businesses in it (Cavelty, 2008).

After the Oklahoma City bombing of April 1995 the ‘critical infrastructure doctrine’ emerged. After the bombing it became clear that:
‘Those assets whose destruction or disruption would have a crippling impact on the heart of
the US society (…) should be protected against any form of attacks’
(Cavelty, 2008, pp 88).

Albeit that the Oklahoma City bombing was not a cyber-attack, the Clinton administration recognized mainly because of this attack the importance of protecting these assets, and above all, the risk cyber-attacks presented to those assets. Another important change in the threat-frame is the economic factor being linked to the critical infrastructure. This economic factor clearly shows the importance and ‘international character’ of the issue, because it is well known that the U.S. has many economic interests worldwide (van Apeldoorn and de Graaff, 2014). In 2000 the Clinton administration made a strategy called ‘Defending America’s Cyberspace. National Plan for Information Systems Protection – An Invitation Dialogue, Version 1.0’ (Clinton, 2000). This strategy, in short, entailed a combined effort between the government and private infrastructure service providers to secure cyberspace.

This should according to the document be done on two levels:

-The intelligence and law enforcement world should together build up further capabilities to be able to investigate cyber-crimes, by using computer forensic tools or close surveillance of the hacker community.

-Hardening the critical infrastructures.
(Bendrath, 2001)

With the terrorist attack of 9/11 during the Bush administration things changed. Terrorism had become the main enemy andin the National Security Strategy of 2002 the word ‘cyber’ was not mentioned at all (Bush, 2002).

In the aftermath of 9/11 the ‘PATRIOT Act’ came into effect. This piece of legislation provided the intelligence agencies with a lot more tools to investigate cyber-crime than before. Bush shifted the focus of attention to the prevention of physical threats rather than cyber-threats and used cyberspace to do so. Cyberspace became more of a tool again (Cavelty, 2008).

The National Security Association (NSA) acknowledged that there were potential adversaries in the form of states such as China and Russia, who were doing research at the time about the Department of Defence’s networks and information systems to be able to successfully attack them (Hildreth, 2001). This lead to the Defense Science Board claiming in a report in March 2001, called ‘Protecting the Homeland’, that the U.S. is in an ‘arms race’ over information systems for warfare (Defense Science Board, 2001).

As is shown above the threat subject (hackers, states etc.) remained fairly stable over the years, but the referent object (who/what is at danger) has changed. First cyber-threats were only linked to the Government’s information systems, then they were linked to the intelligence debate and the risk of foreign espionage became clear, and ultimately they were linked to the critical infrastructure doctrine. By doing so, cyber-threats became seen as a threat to society’s core values and to the economic and social well-being of the nation. However, as said earlier, cyberspace is in this last phase of the threat-frame not only a threat but merely a means to an end: providing Homeland Security (Rasmussen, 2004).

However, even though the threat coming from cyberspace is clear, there is no ‘real world reference’ to the threat. Some government officials and experts even talked about a possible ‘electronic Pearl Harbor’, linking cyber-threats to a successful attack on the U.S., but such an attack has at this point in time never occurred (Smith, 1998; Bendrath, 2001). Therefore constant persuasion is required to sustain the sense that it is a real danger, in order not to lose ‘public interest’ (Scheufele, 1999). This provides the great task for the Obama administration to renew the speech act (R.C.D.S., 2011) if it wants to continue to pursue its (economic) interests and national security. This taskaccordingly became an important part of the administration’s policy. The main question that now has to be answered is how exactly the Obama administration manages to do so effectively, leading to the research question:

‘How has the Obama administration continued to securitize cyberspace?’

Theoretical framework

As a theoretical framework I will take a semi-constructivist stance in this research, as it is described in the work of Myriam Cavelty. This means that, in contrast to the normal constructivists’ way of looking at the world in this writing it is the opinion that the researched object can exist independently of the analyst. The categories in which they are identified are socially constructed, but consensus about the nature of the world is possible in the long run. This also implies that the way stakeholders think about their environment, including the technological substructure and the way this impacts the world, influences their actions and reactions (Cavelty, 2008).

In order to be able to investigate how the process of securitization as being defined above works and how is has continued during the Obama administration it is important to clarify what is the definition of the word ‘securitization’. In this research I will use a theoretical scheme being mainly based upon the Copenhagen School’s securitization theory, which tries to answer the question:

‘Who securitises (the actor) which issues (the threat object), for whom or what (the referent object), why (the intentions and purposes), with what result (the outcome), and under what conditions (the structure)’.
(Buzan, 1998, pp 42).

Thanks to the focus on the ‘language’ used by actors of this securitization and the attention to the complexity of the process, the scheme enables me to look at newspaper articles, documents, speeches and interviews related to this topic. Furthermore, the scheme is unique in providing a theoretical framework which is being combined with agenda setting theory as described by(Kingdon, 2003) and framing theory as being described by (Eriksson and Noreen, 2002). Therefore it gives us a theoretical ‘toolbox’ which can be used to, orderly, try to find an answer to the research question.

The scheme consists of the following parts:

1. Policy window:
   In order to be able to make a certain issue into a matter of security there has to be a ‘policy window’. This means that there has to be a chance of the issue being presented (as a problem which needs to be securitized) in the political reality of the day. When people state they did something because of something else, being actions taken in a policy due to a policy window (problem definition), this is proof for its existence. According to securitization theory this opportunity can arise in two ways:

-Problem window:

When there is a ‘new’ problem which comes to the attention of decision-makers, which can happen when there is a certain focussing event, there are indicators or due to feedback.

-Political window:

When there is a for example a swing in the public mood, when there are elections or when there are campaigns by pressure groups, a change in the political direction of policies can occur.

1. Framing actor:

Many different (groups of) actors are involved in creating a threat frame. A threat frame is being formed by actors sharing the same basic beliefs and have the resources to do so. This can for example be, as in this research, a presidents administration or a group of experts on a certain issue.

-Beliefs:

The actor(s) need a shared set of basic beliefs in order to make a consistent threat frame.

-Resources:

The actor(s) need resources to be able to successfully present the threat frame to the audience of the threat frame.

1. Threat frame:

When the actors being described above are successful a threat frame occurs. This threat frame consists out of three main parts.

-Diagnostic frame:

The diagnostic frame explains what is the threat subject (who/what is the problem) and what is the referent object (who/what is at danger).

-Prognostic frame:

The prognostic frame contains solutions to the problem, strategies, tactics and objectives by which these solutions may be achieved.

-Motivational frame:

The motivational frame makes sure the right persons (mostly important decision/policy makers) are being mobilised by the treat frame. These persons are called the ‘audience’ of the threat frame. If this is successful the issue will become part of the political agenda as a problem which has to be addressed.

1. Countermeasures:

According to securitization theory the countermeasures being taken after the successful securitization of a certain issue should be ‘extraordinary’. This can be because the countermeasures were never seen in this particular form before, or ,for example, because they are exceptionally ‘harsh’ and/or contentious.

(Cavelty, 2008, pp 46-56)

Methodology

The way this research in a practical way will be done very much follows the scheme being described above. Because I have briefly told the history of the threat frame in the introduction and this research will be a continuation of research being done. I will focus only on the documents and literature from the ‘Obama administration period’. I’ve chosen this period of time because the latest step in following the threat frame was made in 2008, and Obama came into office in January of 2009.

The research will consist of the following sub-sections:

1. A policy window
2. Framing actors
3. The Obama administration’s threat frame
4. Countermeasures

To provide for information I will look at speeches and interviews of actors from the Obama administration, mainly being president Obama himself. Because the theoretical framework that is being used in this research relies on ‘keywords’ being used by framing actors, it is important to already define a few keywords to begin the investigation with. These words will form the starting point of the search in the speeches, official documents and interviews.

Because the latest work on this topic was written in 2008 I will use the keywords mainly used in that period.

They are as follows:

-Cyber-threat

-Cyber-attack

-Cyber-security

-Cyber-terrorism

-Cyber-war(fare)

-Electronic Pearl Harbor

-Information operations

-Information warfare

-National security (in connection with information security, etc.)

-Vulnerabilities of information infrastructure

-Critical (information) infrastructures

-Computer intrusion

-Computer (-based) attack

(Cavelty, 2008, pp 30)

New found keywords:

-Economic cyber-threat

-Intellectual property theft

-(nation)state (in connection with cyber, economic threat, intellectual property theft etc.)

-China (in connection with cyber, economic threat, intellectual property theft etc.)

-Obama administration (in connection with cyber, policy etc.)

-President Obama (in connection with cyber, policy etc.)

If I find, as I expect, new keywords I will further investigate those words and then add them to the list under the heading ‘new found keywords’.

When I have defined the threat frame of the Obama administration I will look at possible countermeasures that were taken to see if they can be called extraordinary.

In the conclusion all the collected information will be combined and interlinked. With this information it, hopefully, will be possible to answer the research question.

Analysis

A Policy window

According to securitization theory a policy window is the first thing needed in order to successfully securitize an issue. This opportunity can arise in two ways: