Hyper?Securitization, Everyday Security Practice and Technification: Cyber?Security Logics in Switzerland

This contribution to the SPSR debate about technology and security in Switzerland looks at how by whom cyber-security is constructed Swiss politics. Using three securitization logics as developed reflexive Security Studies – hyper-securitization, everyday practices, technification it illustrates actors have sorted out roles responsibilities over years. The article suggests that all are present political process, but ‘technification’ a way construct issue reliant upon technical knowledge supposition this serves normatively neutral agenda currently dominant one. For democratic politics, big challenge. Assigning an realm has depoliticizing influence makes contestation from those with less expertise very hard. In diesem Beitrag zur SZPW-Debatte über Technologie und Sicherheit der Schweiz wird untersucht, wie von wem Cybersicherheit Schweizer Sicherheitspolitik konstruiert wird. Anhand drei Versicherheitslichungslogiken („securitization logics“), die reflexiven Sicherheitsstudien entwickelt wurden nämlich Hyper-Versicherheitlichung, alltägliche Sicherheitspraktiken Technifizierung veranschaulicht, Akteure im Laufe Jahre Rollen Verantwortlichkeiten definiert haben. Der Artikel zeigt, dass alle Logiken politischen Prozess zwar vorhanden sind, allerdings derzeit „Technifizierung“, bei das Thema so dargestellt wird, technisches Wissen anderes übertrumpft dies einer normativ neutralen Agenda dient, dominiert. Für demokratische Politik ist eine grosse Herausforderung. Die Zuordnung eines Themas zum technischen Bereich hat einen entpolitisierenden Einfluss macht Anfechtung durch Personen mit weniger technischem Fachwissen sehr schwierig. Cette au débat RSSP sur la technologie et sécurité en Suisse examine comment par qui cybersécurité est construite dans politique de suisse. Utilisant trois logiques « sécurisation » développées des études réflexives - l'hyper-sécurisation, les pratiques quotidiennes -, l’article illustre acteurs suisses ont défini leurs rôles responsabilités. Il suggère que même si étaient présentes le processus politique, un moyen construire question comme reposant connaissances techniques couplée à cela sert programme normativement neutre actuellement dominante. Pour démocratique, représente défi tout particulier. Attribuer problème domaine technique une dépolitisante rend part ceux avec moins d’expertise très difficile. last two decades, steadily risen position of prominence on agendas worldwide. With some delay, sustained, even if relatively low-quantity output, theory-guided IR studies research topic can be found variety journals (Dunn Cavelty Wenger 2020). emergent literature, following often used division between problem solving theories reflective theories, either viewed something objectively measurable therefore isolated independent or dependent variable alternatively discourse practice, whose Gestalt not given, socially constructed. first approach examines state use cyber-tools for their military advantage analyses impact national international (for example: Borghard Longergan 2017; Kello Maness Valeriano 2016). second sees threats interested discursive competition differing ideas positions authority within states conducive establishing ‘truth’ Dunn 2008; Eriksson 2001; Lawson 2013). Rather than understanding politics reaction structural distribution power system, inward looking highlights contingent processes possibility change, described introduction debate. There no inevitability attached threat-security logic chooses react issue, opening up space discussion better alternatives. Given focus special section, we want show utility study Switzerland’s policy. Like many other states, authorities process defining policies sorting field. So far, policy formulation hardly been studied exception see 2014; Guitton 2017). Rather, related mostly focuses practices great powers, particular, US challenges cybersecurity. As result, studying small medium-sized powers one bigger gaps fill. Switzerland, main shape geopolitical environment wield cyber-power against strategic rivals rather, developing solutions ensure more resilience state, private sector, civil society. politically contested space, emerges sometimes formal, informal negotiation its bureaucracies, society, geared towards roles, responsibilities, legal boundaries acceptable rules behaviour Egloff 2019). what follows, introduce reader analytical framework larger purview ‘Securitization Theory’ allows us understand traits making. It shows based different bureaucratic threat representations. also case tell limits theory. Making argument best understood running continuum tendencies technological routine, previously under-discussed dynamic way, our talks several others example, like Klauser (Klauser 2021) Leese (Leese 2021), government entities new technologies Fischer (Wenger look questions governance. Technologies transform transformed them same time. An observation made 2006 saw “great difficulties theoretical adaptation application complexities emerging digital world” (Eriksson Giacomello 2006: 236). Not much later, wave theory happened context “critical turn” Europe, rooted “Copenhagen School” work Hansen & Nissenbaum 2009; Securitization formation agendas, arguing problems become primarily because measurable, existential exists, key successfully establish issues (Buzan al. 1998). speech act (Austin 1962 Searle 1969), which purports language performative act. acts significant utterances ‘define’ responses envisaged (Strizel 2007: 360-361). these underpinnings, Copenhagen School mainly official statements heads high-ranking officials institutions (Hansen 64). What elite overlooks, however, facilitated prepared vocal visible. social definition reality only—and above only final stages—held open arena. Empirical analysis reveals there always non-state ‘under radar’—i.e. specialised units, consultants experts—who capacity ‘the truth’ certain threats, thus pre-structuring field relevant ways (Huysmans 72; Léonard Kaunert 2011). Taking starting point, literature moved away cybersecurity product interaction technologies, processes, practices. pays particular attention uses representations danger create change political, private, social, commercial understandings selected public spheres (examples: Balzacq 2016; Collier 2018; Shires Stevens cyberspace, ‘cyber’ called sector own logic. most cited articles field, specify modalities together compose sectoral grammar 2009). These, they argue, tie referent objects, securitizing specific ways. logics, ‘hypersecuritization’, ‘everyday practices’, ‘technification’, serve heuristic dynamics Extending Buzan (2004), hypersecuritization refers narrated, potential, future catastrophes instantaneous, cascading destruction, coupled absence historical incidents magnitude 2009: 1163-1165). nature networked mega-catastrophes, such incidents, generates strong urgency impetus action. prominent invokes type discursively tied highest possible stakes, since survival Therefore, invoking powerful mobiliser help legitimise extraordinary undemocratic procedures Wæver 1995). Everyday mobilise individuals’ experiences insecurity both ensuring partnership compliance, connect hypersecuritizing scenarios lived 1165). Individual practice thereby gets cast potential remedy (i.e. individuals ‘responsible’ partners), well driver threats) network, consequently object (state, society). third logic, discourse’s construction audience-expert subject positions. Technification act, constructs 1167). constitution legitimises experts, rather actors, address cyber-in-security. remains incontestable closed expecting single dominate entire expected varying degrees times. To sociology (IPS) useful. Practice approaches need situating time words, contextualization: observe does necessarily apply next. exists co-evolves places time, being multifaceted assemblage designed protect networks, computers, programs data attack, damage, unauthorised access. ‘lived reality’ easy capture. get close possible, documents1 basis describe addition, institutional arrangements, including founding institutions/bodies, publication strategy papers, leading documents. further draws policy-consultancy conducted authors critical infrastructure protection. profits direct involvement efforts beginning personal meetings figures process.2 add glimpses into actual ‘lived’ next describing governmental intent. Below, sketch four crucial phases briefly. Space constraints do allow in-depth analysis, will highlight play section. information communication systematic manner started half 1990s. event was Strategic Leadership Exercise 1997 (SFU 97), RAND3-scenario hostile warfare activities. context, publications actions cyber-domain development form rapid increase connectivity population administration influenced timing exercise. After exercise, worked consolidated concept assurance. document, “Vulnerable Information Society Challenge Assurance”, introduced Four Pillar Model Assurance (ISB 2002: 23-26). pillars prevention, early warning, damage limitation, combating causes crisis drawn loosely classic risk management engineering At publication, partially aspiration. biggest task establishment Reporting Analysis Center (MELANI), held central pillars. preparation planning, MELANI got green light October 2003, became operational year after trial phase years, established permanent federal office assurance (Admin.ch 2007). years followed, able prove value, least handled cyber-incidents satisfactory. However, apparent around 2010: limited resources increasingly difficult fulfil tasks across One salient arguments expansion business could probably provide cost-effective without (Zedi 2003). developments cyber-realm pointed investment capabilities, existing system appeared insufficient counter severe (national type) cyber-threats. Thus, Federal Council instructed Department Defence, Civil Protection, Sports (DDPS), importantly, representatives department, develop cyber-defence strategy. aim coordination cyber-issues level beyond. agencies did approve direction going in, had lot militarised drafts. Because opposition, re-assigned section MELANI, DDPS reorganisation intelligence services. Within short under name „National protection cyber risks” (in National Cyber-Strategy, NCS) created. On 27 June 2012, adopted later implementation phase. Risk remained core concepts army excluded tasked 2017, Cyber-Strategy ended evaluated. done technocratic manner: hiring external consultancy group. group concluded building structures, products, major achievement. measure implemented measures attaining goals 2018a). ringing lasted year, structured turf battles units disagreements executive legislative. Importantly, ministry defence re-entered stage forcefully, incident RUAG, owned contractor. advanced persistent actor, who already rummaged network September 2014 (GovCERT 2016), compromised it. legislative intervened mandating centre competency (Eder 2017) training soldiers (Dittli strategy, council April 2018 2018b), mandated expand services beyond infrastructures businesses ‘general public’). hold consultative workshops stakeholders. Only January 2019, good parliament so, decided structure implements centre, encompassing head assuming ministries. committee overseeing level, consisting councillors (minister finance, minister defence, justice/police) May 2020, passed ‘The Ordinance Protecting Cyber-Risks Administration’, recent milestone creates organisation Confederation area cyber-risks governs cooperation Administration cantons, academia. sensitive processes. peculiarities cyber-security, helps specificities culture. Since embedded subjected any large ignores focused projection. Most characterised deliberate diffusion levels (Ladner take place multi-party directorial republic, concentrated person, exercised clear limits: federalism, shared regions.4 Such considerably restricts ability enforce when designing policies, responsible agency cautious. Furthermore, extensive cantonal local autonomy idea subsidiarity,5 means should perform cannot performed effectively immediate level. subsidiarity explicitly mentioned documents, signal necessary sensitivity power-arrangements given. additional factor. confrontation opposition consensus factions (Kriesi Trechsel 2008). important characteristics democracy coalition composed parties (the executive), parliament, decision-making compromise (Linder Iff 2011: 40). Consensus influences content tend represent interests once reach maturity usually ‘watered down’ vague policymaking taken ‘pre-parliamentary arena’, focusing organization itself. initiated charged draft document ‘bureaucracy’ plays role promotion interests: experts ministries, pre-parliamentary formulation. Cyber-security making successful representation documents entered organizations, each formulate represents view members. When evaluating results procedure, (and Council) proceed sufficient support (on general, Sager Vatter 2019: 205-206). hypersecuritization, narration cascading, though considered development, came fore areas. First, leadership exercises were modelled RAND methodology, importing Anglo-Saxon hypersecuritzation discourse. Second, nationalist rhetoric circles employ hypothetical display raison d’être capabilities. scenario enemy attacking resulting halt hospitals, nuclear stations, traffic systems, asked war (Lenz Overall, mobilizing does, United States. fact, challenged especially employed ask side government. Beyond similar European Union where falls flat (Dewar demonstrates theory’s assumption ‘urgency-survival’ strongest may false due factors culture alternative framing. hand, Practices invoked frequently Particularly, partners reinforced various debates. manifest credo everyone cyber-security. thinking echoes ideal demands leanest possible. responsibility whole collective highlighted through calls awareness prevention campaigns, informing broader risks countermeasures, aiming improve resiliency, everyday.6 Through individual directly outcomes collectives. Of three, intriguing ‘experts’ background drive ICT entrepreneurs, specialists, researchers. reflects securitised discourse, privilege given constructing issue. Other, non-technical commentators preface “I am expert, but…” demonstrating one’s contributions ‘technical’ technified visible throughout solutions, measured calculated complex formulas statistics), internet communicated (e.g. percent websites implement technology). contribution, demonstrated fruitfully approached constructivist research, specifically, approaches. Nissenbaum, case, present. influence, removes deliberations. By ‘genius few’, hard impossible valued discredit comes claim ‘neutral’ ‘a-political’, hence, valid anything seems emotional morals. interesting aspects theory, assumes actor make convincing exceptional works this. multiple voices audiences convince harder simple move urgency. ‘visible’ thoroughly. domain elites politicians. Instead, needs shift traditional outside creation security. evident closely intricacies culture, scholars comparative fields, becomes Bringing traditions conversation sub-disciplinary beneficial both. Myriam deputy teaching (CSS), ETH Zürich. Her uncertainty changing conceptions (inter-)national digitalised environment. E-mail: [email protected] Florian J. (DPhil Oxford) Senior Researcher Cybersecurity (CSS) Zurich. His security, particularly regard non- semi-state Email. Data sharing applicable datasets generated analysed during current study.