i A Critical Reflection on the Construction of the Cyberterrorist Threat in the United Kingdom of Great Britain and Northern Ireland by Gareth Mott Department of Politics and International Relations A thesis submitted in partial fulfilment for the degree of Doctor of Philosophy at Nottingham Trent University April 2018 ii This work is the intellectual property of the author. You may copy up to 5% of this work for private study, or personal, non-commercial research. Any re-use of the information contained within this document should be fully referenced, quoting the author, title, university, degree level and pagination. Queries or requests for any other use, or if a more substantial copy is required, should be directed in the owner(s) of the Intellectual Property Rights. iii iv Acknowledgements This thesis would not have been possible without the scholarship generously provided by the department of Politics and International Relations at Nottingham Trent University. I am extremely grateful to the department, the school, and the university for entrusting me with this funding. Before embarking on this PhD, I devoured several books along the lines of Phillips’s and Pugh’s (1994) How to Get a PhD. This was a bit like typing ailments into a search engine. Some students are lucky with the supervisory teams that they are landed with, others unlucky. I am fortunate to count myself in the very lucky cohort. Thank you, to my supervisory team, Dr Christopher Baker-Beall and Professor Matt Henn. You were instrumental in this project and in providing me a wealth of opportunities and guidance at Nottingham Trent University. I would also like to thank Professor Lee Jarvis, not only for supervising my Master’s dissertation at the University of East Anglia, but additionally for your encouragement in making an application to Nottingham Trent University and guidance in doing so. Had you not advised me of the available scholarship and encouraged me to apply, it is unlikely that I would have embarked on a PhD; I’d probably be selling car insurance! Of course, thanks must be paid to Karen and Richard, my parents, whose patient parenthood I will always be grateful for. Lastly – and I think I can get away with this in a cyber threat thesis! – I would like to thank my ‘88 US IBM Model M keyboard. Your mechanical keys have been irritating housemates and neighbours for years, but the clacks are music to my ears. You have seen me through my A-levels, my Bachelor’s degree, my Master’s degree and, hopefully, my PhD. Someday, I will let you retire. But not quite yet. Let’s write a book together. v A Critical Reflection on the Construction of the Cyberterrorist Threat in the United Kingdom of Great Britain and Northern Ireland Abstract Cyberterrorism has not occurred. Furthermore, the definitional parameters of cyberterrorism have not been conclusively defined by either policymakers or academia. However, in 2010 the threat posed by the terrorist application of cyber weaponry to target British critical national infrastructure became a ‘Tier One’ threat to the UK. This thesis is the first comprehensive mapping and analysis of the official British construction of the threat of cyberterrorism between 12th May 2010 and 24th June 2016. By using interpretive discourse analysis, this thesis identifies ‘strands’ from a comprehensive corpus of policy documents, statements and speeches from Ministers, MPs and Peers. This thesis examines how the threat of cyberterrorism was constructed in the UK, and what this securitisation has made possible. In addition, this thesis makes novel contributions to the Copenhagen School’s ‘securitisation theory’ framework. Accordingly: this thesis outlines the framework for a ‘tiered’, rather than monolithic audience; refines the ‘temporal’ and ‘spatial’ conditioning of a securitisation with reference to the unique characteristics of cyberterrorism; and lastly, details the way in which popular fiction can be ascribed agency in securitising moves to ‘fill in’ a lack of case studies of threat with gripping vicarious fictional narratives. It is identified that the 2010 British Coalition Government’s classification of cyberterrorism as a ‘Tier One’ threat created a central strand upon which a discursive securitisation was established. Despite the absence of a ‘cyberterrorist’ incident across the period under scrutiny, the securitisation did not recede. The threat posed by cyberterrorism was articulated partially within a ‘New Terrorism’ frame, and it was deemed by Ministers, MPs and Lords to be a threat that was likely to escalate in both severity and possibility over time. A notable finding is the positioning of the securitisation against a particular ‘cyberterrorist’ identity epitomised by social actors using cyberspace, rather than the tangible environments of cyberspace. vi Table of Contents Chapter One: Introduction 1 Introduction 1 Thesis Aims and Research Questions 2 Critical Terrorism Studies 5 Critical Security Studies 9 Defining Cyberterrorism and Cyberspace 13 The Threat of Cyberterrorism 18 Structure of the Thesis 22 Conclusion 26 Chapter Two: Theory 28 Securitisation Theory 28 The Securitisation of Cyberterrorism in Relation 33 To the ‘Traditional’ Framework of Securitisation The ‘Pantomime’ Model of Securitisation 36 Conclusion 47 Chapter Three: Method 49 Interpretive Approaches 49 Discourse and Identity: Some Basics 52 Metaphor and Descriptive Language 59 as Tools of Persuasion in Securitisation Source Acquisition 65 Interpretive Method 69 Conclusion 71 Chapter Four: The Discursive Construction of 73 the Threat of Cyberterrorism to the United Kingdom Cyberterrorism as a ‘Tier One’ Threat to the UK: 74 The National Security Documents vii Beyond the National Security Documents: 77 The Construction of Cyberterrorism as a Tier One Threat Public Perception of the Threat of Cyberterrorism 83 Lessons from the Construction of Cyberterrorism 86 as a Tier One Threat: Anticipatory Security Lessons from the Construction of Cyberterrorism as 90 a Tier One Threat: Legitimising the UK’s Cyber Weaponry Program Conclusion 95 Chapter Five: Cyberterrorism as Temporally 98 Unique Cyberterrorism as a Temporally Unique Threat: 99 ‘New Terrorism’ - Mapping Cyberterrorism as a Temporally Unique Threat: 104 ‘New Terrorism’ - Analysis Cyberterrorism as a Temporally Unique Threat: 108 Escalation of Threat – Mapping Cyberterrorism as a Temporally Unique Threat: 117 Escalation of Threat - Analysis Conclusion 123 Chapter Six: Cyberterrorism as Spatially 125 Unique, and ‘From Fiction to Reality’ Cyberterrorism as a Spatially Unique Threat: 126 ‘Safe Havens’ – Mapping Cyberterrorism as a Spatially Unique Threat: 129 ‘Safe Havens’ – Analysis Cyberterrorism as a Spatially Unique Threat: 134 ‘Physical versus Cyber’ – Mapping Cyberterrorism as a Spatially Unique Threat: 137 ‘Physical versus Cyber’ – Analysis ‘From Fiction to Reality’: The Role of Fantasy, 141 Imagination and Popular Fiction in the Construction of the Cyberterrorist Threat Against the UK viii Conclusion 154 Chapter Seven: Conclusion 156 Findings 157 Pantomime Audience Framework 159 Limitations of the Thesis 161 Future Avenues for Research 164 Final Remarks 168 Reference List 171 1 Chapter One: Introduction Introduction Following the establishment of a functional world-wide-web in 1990, the UK, along with international society at large, has become increasingly interconnected. Worldwide, there are roughly 3.58 billion people who regularly use the services of the world-wide-web (Statista, 2018). In the UK, 89% of adults were been identified as regular users of the internet (ONS, 2017). The number of devices connected to the internet has increased exponentially, and this is a trend set to continue; fuelled by the huge financial and capital investment into IT spending, which totalled $3.7 trillion in 2013 (Whitney, 2013). Consumer demand is also a significant force driving the proliferation of internet access, in part due to innovation that has produced increasing layers of 'killer programs'; computer programs that are highly desirable and perhaps necessary for modern living. Email and browser-based access to the world-wide-web are examples of such 'killer programs', but increasingly these extend beyond computers and mobile phones amidst the expansion of the 'Internet of Things'. Put simply, this ‘Internet of Things’ is the process in which physical objects such as refrigerators, ovens, heating systems and pet feeders can be embedded with electronics and software that permits them to both collect and exchange data, and to be controlled remotely. A study by Cisco has suggested that more than 50 billion 'things' will be connected to the internet by 2020 (Tillman, 2013). The integral value of online services for economic prosperity is clear. Online services are so embedded into the functioning of modern society that any attempt to calculate the true 'value of the internet' would be perfunctory, although tentative figures are offered to contextualise analysis in Chapter Five. However, connectivity does not come without risk. Hacking, a term previously the preserve of students engaging in problem solving or practical jokes – not necessarily in electronic form – globally became increasingly legislated against in the 1980s and 1990s, and some forms of hacking have since constituted a criminal offence, thus integrating 'hacking' into a 'cybercrime' lexicon. As the international economy rapidly became increasingly reliant on internet-mediated connectivity over the course of the 1990s and early 2000s, a