Watch Your Mouth: Why Talking ‘(Cyber-)Security’ Is Popular, Complex and Deeply Political

Everybody immediately relates to ‘security’, but may mean something profoundly different. This makes researching ‘security’ both difficult and important. My main concern is that we need a better understanding of what ‘(cyber-)security’ is and what it’s not, precisely because of it’s popular, complex and deeply political properties. Until then, we need to watch our mouth when we talk ‘(cyber-)security’, as ambigous concepts are a battleground for political exploitation. 

Contrary to many concepts in law, ‘security’ actually rings a bell with non-lawyers. Just ask around and see what you’ll get: one person may define security as being safe from harm. Another sees it as not being exposed to any risk or threat. A third relates to security as a technical means to achieve freedom from corporate or state surveillance. All three of them appeal to a certain manifestation of security, but mean something profoundly different. To make matters even more complex, language and local culture play a significant role in how ‘security’ is conceptualized.[1] 

Apart from popular, the concept of ‘security’ is sometimes highly overloaded, and seems always ambiguous. I like how Zedner calls security a ‘slippery’ concept:[2]

“Its meanings are multiple and without clarity about which meaning is intended (or understood); exactly what is being provided and consumed, sold and bought, promised or sought remains obscure.”

Many have observed that it’s quite fashionable to talk about security these days. And that security within and of the state has become a powerful legitimization for the exercise of control and force, both within and outside national borders. It started long before ‘9/11’ but it has been exacerbated by its subsequent ‘war on terror.’ The re-branding of the Dutch ‘Ministry of Justice’ into the Ministry of ‘Security and Justice’ (in that order) in 2010 is a quite striking case in point.[3]

Whether or not the emphasis on security is desirable is very much up for debate in the literature. Some herald security as the ‘hallmark of civilizations’[4] or introduce the concept of human security to encapsulate a wide range of interests through the lens of security and advocate individuals at its receiving end.[5] Others use terms as ‘security theatre’ to point at our obsession with the concept,[6] or observe that ‘security has […] become inextricably entwined with the circuits of accumulation in contemporary capitalism’.[7] In this view, security is a deeply political concept to divide between ‘us’ and ‘them’, who’s in, and who’s out.

Between theory and practice, facts and emotions, objectivity and subjectivity, conceptualizing ‘security’ is a continuous challenge, or more accurately, never complete. Moreover, any honest conceptualization factors in the particular perspective of the author, be it academic discipline, political philosophy or personal experience. The latter, by the way, is something researchers hardly acknowledge in their takes on ‘security’.

Of course, saying that something is complex and warning against political exploitation when using one word over the other is the usual safe haven for researchers. But policymakers raise their shoulders, and go on. Here’s lies the difficult dilemma. While conceptualizing ‘security’ is inherently complex and incomplete, one cannot shy away from it, especially when it comes to the question whether or not electronic communications security should be subject to regulation.  As Baldwin observes, regulatory failure can often be attributed to a shortcomings in a legal definitions.[8] Zedner describes it elegently, when she argues that imprecision can be both unintentional and intentional on part of policymakers, as it gives rise to ‘divergent’ and ‘exceptional measures that might be otherwise indefensible’.[9]

Conceptualizing ‘security’ in the field of electronic communications is no exception. A specific property to these debates, is how experts seem to monopolize the ‘truth’ because technology is a complex subject for most people. I wrote about the work of ethnographer Tom Boellstorff with regard to ‘big data’ and ‘metadata’ before, but the ‘security’ concept seems even more inherently prone to the exercise of power, control and exclusion by ‘experts’. Perhaps a good metaphor to describe the dynamic is branding (cyber)security a container,  in which anyone with convincing credentials can chip their particular interest, but I immediately add that I’m perhaps exercising control here myself. Anyway, tech (policy) experts have a particular responsibility to be careful with the words they use when they talk to policymakers and legislators.

Several attempts to define and conceptualize ‘security’ in electronic communications have been made across jurisdictions, standards and literature. But a clear consensus is emerging that conceptual clarity is both lacking and badly needed. While it is an inherently incomplete exercise, untangling the intricate conceptual web around (communications) ‘security’ helps to delineate the different conceptions of security we appeal to, to resolve some of those tensions or inform us, quite essentially, where any regulation will fundamentally complicate or even exacerbate them.

Funding, political traction and media attention defintely contribute to the current re-branding of longstanding internet policy debates as ‘security’ issues. The danger is, again, that security is by no means value-neutral and thus changes the very nature of the debate. One example that ties into my earlier work, is the current debate about whether internet companies should offer SSL by default both on web-facing traffic and in their own networks – a response to the MUSCULAR disclosures (the NSA hacking into infra-network Google and Yahoo! traffic).

If ‘cybersecurity’ is the main reason to craft policy in this space, the traffic will be better protected from cybercriminals. If ‘privacy’ is an additional rationale, the debate could be broadened to include  under what conditions governments should have the right to request what data directly with the company. A cybersecurity rationale on itself will leave that important question untouched, perhaps merely raising the transaction costs for government to hack into systems – a very dominant frame in tech circles these days – which they shouldn’t be doing in the first place. On a related note, it would be sensible to extend the ‘cybersecurity’ debate to such hacking practices by governments, and in my view outlaw them altogether [disclaimer: read my bio :) ]. Government should adher to legal process, rather than hack-at-will which ultimately benefits the behemoths. But I do understand it when activists argue, that current political constellations render progress in one space either unrealistic or even counter-effective. It’s a sad testament to the lack of political priority for privacy whenever you move into the completely overloaded debate on ‘national security’ in most countries, even post-Snowden.

With all the talk about ‘security’ and ‘cybersecurity’ today, it’s quite striking that I haven’t seen any convincing work on untangling the concept of ‘electronic communications security’. That’s why I’m expanding that part of my thesis significantly. By all means, that I haven’t seen much convincing work on it doesn’t mean that it doesn’t exist. Never hesitate to drop me a line or a comment if there’s something I should look into.

This post is a more relaxed version of the introduction to my thesis chapter on conceptualizing security. In the chapter, I first untangle security in three subcategories: existing modalities, beneficiaries and producers (categories subject to change, needless to say). I localize the categories in the broader debates on major shifts in human organization during these (post-)modern times. With Bauman, I hold that the popularity and ambiguity of ‘security’ can be attributed to the gradually increasing social acceptance of expressing anxiety about such major shifts through the ‘security’ lense. The politization of security – notably ‘securitization’ – can thus be understood as a means to re-claim the appreance of policy agency. I apply that framework to the political discourse around cyber-security in the U.S., the E.U. and other policy systems. In the following paragraphs, I describe security in its technical conception – the confidentiality, integrity and availability triad and the related debates – and argue that the clear link with constitutional values are conspicuously absent from all ‘security’ conceptualizations. I then reflect on the interplay of ‘security’ and constitutional values, refering to some fascinating recent case-law of the European Court of Human Rights and the German Constitutional Court. By all means, the work will be way more detailed and I’d say convincing than my TPRC41 draft paper and some parts of my certificate authority collapse paper. The latter I’ll update for a piece in Communications of the ACM and the first case study of the thesis.

Thanks are due to my friend Erik, who’s working on a ph.d. project on ‘deviant security’ practices applied by cybercriminals. We had a discussion about his first chapter and he pointed me to literature on ‘security’ from a quite different perspective than what I’m usually confronted with.  You’ll find some of those references below. 

[1] Z. Bauman, ‘Globalization: The Human Consequences’, Cambridge: Polity Press 1998, p. 117.

[2] L. Zedner, The concept of security: an agenda for comparative analysis. Legal Studies, 2003:23, p. 154.

[3] Translated from ‘Ministerie van Veiligheid en Justitie’. Decided by Royal Decree, K.B. van 14 oktober 2010, kenmerk 3096356. H.

[4] I. Loader, N. Walker. Civilizing Security. Cambridge University Press, 2007.

[5] M. den Boer, J. de Wilde, The Viability of Human Security, Amsterdam: University Press 2008, p. 10.

[6] B. Schneier, Beyond Fear: Thinking Sensibly about Security in an Uncertain World, Copernicus Books 2003. p. 38

[7] Yar 2009, p. 190.

[8] Baldwin et al. 2012, p.68.

[9] L. Zedner, The concept of security: an agenda for comparative analysis. Legal Studies, 2003:23, p. 158.

Leave a Reply

Your email address will not be published. Required fields are marked *