By now I am sure many of you have seen the news that Sony has indefinitely postponed/canceled the theatrical release of The Interview under threat from hackers apparently connected to the regime in North Korea. It is not clear whether the threat was explicitly against movie goers or against the companies screening the film, and whether the assault would be virtual or physical in form (although the Obama Administration has suggested the theatre threat was overblown and has criticized Sony for withholding the film). What is clear is that the cancellation costs Sony tens of millions of dollars in lost production and promotion costs and has established a precedent that digital assaults can produce real world costs and behavioral changes.
Quite striking is the shift in construction of the Sony issue as a threat. Previous breaches of corporate information technology (IT) security have hardly prompted the kind of national security discourses the Sony case has generated. Indeed, the earlier disclosure of sensitive emails from the Sony IT breach did not result in discussions of national threat. Certainly, the more international and public elements of the situation suggest greater basis for making a national security claim. And yet, the appearances are deceptive. The Obama Administration specifically downplayed the possible threat to cinemas, with the Department of Homeland Security indicating there was no credible threat to cinemas or theatregoers. The cancelation of the film is certainly costly, but most of the cost is born by Sony (to the tune of tens of millions of dollars). To that end, the IT breach is not any different from other corporate IT breaches where customer information has been compromised. The North Korean element is certainly substantive, but not altogether unique.
What the shift in discourse reveals is the socially constructed nature of threat. The public costs of the Sony IT breach are economically smaller than in other breaches, and the linkage to external state is not unique to the Sony case. So materially, there is little that obviously qualifies the Sony IT breach as a national security issue, much less something that calls for US government retaliation. The discursive shift regarding the national security ‘threat’ posed by the Sony incident highlights the utility of securitization theory for thinking about the issue of cyber security. Specifically, securitization theory directs our attention to how political actors are seeking to reconstruct the Sony IT breach in ways that justify extraordinary measures, in this case the US government risking conflict escalation with a isolated, reactive, and militarized regime in North Korea on behalf of a private economic/corporate entity. Notably, since the cancellation of the film discourses have highlighted core elements of American political identity, specifically the right to freedom of expression, as the basis of the security claim. This discursive shift suggests a societal boundary with respect to information technology issues in the United States between a private concern (Sony breach before film cancellation) and a public security matter.
Securitization also draws our attention to the political effects of security, and a consequence the costs of security. Who benefits from or is empowered by treating IT issues as security issues? What consequences arise from making IT security a national security matter? How can the state possibly mandate security measures for an issue that interweaves throughout the economy? What kinds of instabilities are created by involving states as security actors in the cyber realm with the strong potential of militarization? Certainly weak states will seek to take advantage of the asymmetric opportunities of global information technology, but the question of responsibility and countermeasures remains an open one for the most powerful and developed states in the system and whether those should lie with the state. Specifically, in past nonsecuritized (from the standpoint of the state) IT breaches, the responsibility and the cost were assumed to lie with the victimized corporation. Securitization shifts that responsibility and cost to the state.
I have long been a skeptic of the concept of cyber security as such, and for me securitization theory opens up an analytical space for critically interrogating the concept of cyber security, the process by which information technology issues are transformed into security, as well as the political and social effects of terming information technology as security.
**Thanks to Dave McCourt for helpful comments on this post!