Understanding Cybersecurity: Ethical and Conceptual Considerations

Abstract

In this paper I provide an ethical and conceptual analysis of the emerging concern with ‘cybersecurity.’ My paper provides an opportunity to explore some key concepts relating to security in the ‘cyberrealm,’ where kinetic and informational threats are rapidly converging. I offer a way of clearing the conceptual space relating to cybersecurity by exploring both how the term is being used and how it can be used. First of all, I outline how cybersecurity (the systemised protection of individuals and states against cyberwarfare, cyberterrorism and cybercrime) is an increasingly prominent feature of the national security agenda. National governments, for instance, are becoming increasingly alarmed at the potential for serious attacks on cybersecurity and are responding accordingly. The Australian Government nominated ‘malicious cyber attacks’ as one of seven key national security risks in the recently released national security strategy and announced a new cybersecurity centre. And the U.S. Defense Department is set to more than quadruple its cyber forces over the next few years, in an effort to better protect critical networks and improve capacity for offensive cyber operations. Next I argue that an effective cybersecurity strategy requires clarification of certain key concepts. An effective response to emerging threats to cybersecurity requires a comprehensive understanding of the problem and its potential solutions. In particular, I argue, that it is an important task to establish a firm conceptual grasp on what we mean by the term ‘cybersecurity’ since many of the important conceptual aspects of cybersecurity remain unexamined. As a consequence, different people might be referring to different things when they discuss cybersecurity. A more conceptually rigorous approach to ‘cybersecurity’ will also help us to understand how the term should be used. Then, to demonstrate my point that clarifying the meaning of cybersecurity is an important task, I provide an analysis of the ethics of surveillance as it applies to different aspects of cybersecurity. The permissibility of surveillance depends on how we conceive of cybersecurity in terms of cyberwarfare, cyberterrorism, and cybercrime. Key to any aspect of security is the ability to anticipate threats and construct both passive (i.e. building defences) and active (i.e. neutralising threats) solutions. Anticipation in the cyberworld requires surveillance. Yet surveillance infringes on the rights of individuals and exposes security practices to internal threats. Furthermore, as a second example, I demonstrate that distinguishing between cyberwarfare, cyberterrorism, and cybercrime is an important policy issue because it helps determine which institutional mechanisms to use on a particular security threat, a problem which is increasingly compounded by changing understandings of war, terrorism, and criminality. Finally, I go on to consider two potential avenues for improving the conceptual clarity of cybersecurity. First, I examine cybersecurity in reference to the actor using the term. This approach considers how the term is used by a variety of actors with responsibilities for cybersecurity, including: IT professionals; government; military; police; private business and so on. Second, I examine cybersecurity in reference to the threat it describes. By providing a conceptual analysis of cybersecurity in terms of threat, the current and future technological and social developments that bear on cybersecurity practices can be systematically identified and analysed.