1 Introduction
Our freedom and prosperity increasingly depend on a robust and innovative Internet, which will continue to flourish if private sector innovation and civil society drive its growth. But freedom online requires safety and security, too.—European Cybersecurity Strategy (EC 2013, p. 2)
1.1 Digitalization and the need for a culture of cybersecurity
1.2 Situating our argument: envisioning the digital future through cybersecurity
2 Research framework
2.1 Background, materials and methodology
2.2 Theoretical perspectives: combining sociotechnical imaginaries and governmentality studies
3 Problematizing cyberspace through the lenses of security
3.1 Securing cyberspace: historical context of Austria’s cybersecurity policy
Today the general welfare of the state depends to a considerable extent on the availability and proper functioning of cyberspace. While growth rates in Internet usage, e‑commerce and e‑government are significant and cyber crime […] is on the rise, the Internet and computer skills of the users have remained virtually unchanged (Republic of Austria 2012, p. 4).
cyber-crime, cyber-attacks, the misuse of the internet for extremist purposes and network security are serious new challenges for all stakeholders and require wide-reaching cooperation as part of a comprehensive policy (BKA 2013b, p. 11).
3.2 Cybersecurity as vital systems security and process of securitization
4 Articulating a strategy for a safe and secure digital future
4.1 (Re-)aligning institutional frameworks: centralizing cyber forces, monitoring cyber-risks
4.2 Implementing information security management systems
5 Promoting digital safety and security through knowledge, skills, and innovation
5.1 Innovating DS&S through techno-scientific research and development
5.2 Forging digital subjects: training a new generation of cybersecurity experts
[m]any organisations are unable to forecast and/or estimate the impacts of a cyber-risk. This results often in insufficient and/or irrelevant investments to ensure a more cyber secure environment. […] In a connected EU society, there is an urgent need for highly competent cybersecurity professionals, and security experts need to be in a constant learning process, to match the quick rate of evolution of the cyber threats, attacks and vulnerabilities. Cybersecurity skills need to be continuously advanced at all levels (e.g. security officers, operators, developers, integrators, administrators, end users) in order to enable cybersecurity […] within the EU Digital Single Market (EC 2017, p. 57, emphasis added).
Information security does not emerge almost automatically from Technology and Know-how, but first of all from the awareness of management and members of an organization, that information presents values that are endangered and in need of protection (BKA 2016, p. 26).
5.3 Exercising the contingency: enhancing crisis response through simulated cyberincidents
6 Discussion
6.1 Cybersecurity as “globalizing” form of security
Together with the Twin Towers, our traditional perceptions of threats collapsed. […] Before 9/11, cyberspace risks and security challenges were only discussed within small groups of technical experts. But, from that day it became evident that the cyber world entails serious vulnerabilities for increasingly interdependent societies (Theiler 2011, n.p.).
-
The digital society is co-produced with cybersecurityCybersecurity must be understood as an active sociotechnical construction site of an emerging digital society. From this perspective, problematizations of cybersecurity do not merely emerge in reaction to progressing digital society but rather constitutes a medium in which the latter is collectively (re-)imagined, publicly pursued, and institutionally configured. The aspiration to create a culture of cybersecurity, hence, further indicates this generative and productive dimension of DS&S: The aspiration to train and educate individuals as circumspect users of digital technologies does not only seek to protect citizens against harm but simultaneously to forge prudent digital subjects—citizens with the necessary set of skills and capacities to capture and innovate a digital society imagined to be caught in constant “in-formation” processes.Furthermore, as an active site of societal transformation, the seemingly technical nature of producing DS&S (in terms of innovating new cyber tech devices, governance instruments, and digital subjects) appears as a highly political endeavor. To (re-)produce sovereignty in the cyberspace domain, a plethora of control mechanisms have to be put in place and kept in operation: data sets are analyzed, algorithms redefined, incidents mapped and reported, and devices redesigned and developed. On the other hand, these control mechanisms operating at the level of protocol (Galloway 2004) are complemented by technologies of subjectification (Foucault 2004): digitally prudent and responsible subjects are forged, ones that acquire and embody appropriate behaviors, coping strategies, and practices of self-formation as digital citizens and/or digital experts.
-
Cybersecurity (re-)articulates a new global form of securityGiven its globalizing (i.e., all-encompassing) dimension within society, cybersecurity must not be merely understood as a novel domain or “domain” (Hansen and Nissenbaum 2009) of security policy. Rather, it represents a security rationality that gradually colonizes the entire field of security—thereby reworking its normative and operational logics, its political epistemologies, and instruments of intervention. As such, cybersecurity amounts to a specific governmentality for and in the contemporary societies of control (Deleuze 1992). Put succinctly, in the context of a sociotechnical imaginary of the digital society, conventional security tends to become (re-)articulated within a rationality of cybersecurity: If society as a whole is increasingly reimagined as a digital society throughout, all security tends to become closely tied to digital security.To begin with, the growing interdependence and interconnectedness creates a situation in which digital vulnerabilities easily translate into a whole range of other types of vulnerability. This is most apparent in the concerns about critical infrastructure protection (Aradau 2010) but also manifests in a broad range of other domains, such as border security through databases (Jeandesboz 2016), the human body deciphered as “code” in the context of molecular biology (Dillon 2003), or global health policy and strategies of epidemic preparedness (Roberts and Elbe 2017). For instance, a digital security problem in a nuclear reactor could easily translate into a major nuclear safety concern, and a safety issue in the energy sector can easily spill over into a national crisis propelled by a massive black out—including disorder and insecurity due to riots, lootings, public health and safety issues, breakdown of transportation and communication, etc. (Cooper 2006; Lakoff 2008). In all these domains, possible sites of digital safety and security intervention, power, and control are exercised at the level of protocol (Galloway 2004), alongside more conventional technologies of power. With the growing digitalization of society, all safety also involves digital safety, and all security involves also digital security—hence reworking the very epistemologies of security policies.In this emerging rationality of digital safety and security, the conceptual distinction between, say, human safety and safe technology becomes not only blurred but increasingly inconsequential for the operation of cybersecurity—not least due to the easy spillover effects from human failure to infrastructural vulnerabilities, from small security holes to large-scale public safety concerns.