By now I am sure many of you have seen the news that Sony has indefinitely postponed/canceled the theatrical release of The Interview under threat from hackers apparently connected to the regime in North Korea. It is not clear whether the threat was explicitly against movie goers or against the companies screening the film, and whether the assault would be virtual or physical in form (although the Obama Administration has suggested the theatre threat was overblown and has criticized Sony for withholding the film). What is clear is that the cancellation costs Sony tens of millions of dollars in lost production and promotion costs and has established a precedent that digital assaults can produce real world costs and behavioral changes.
Quite striking is the shift in construction of the Sony issue as a threat. Previous breaches of corporate information technology (IT) security have hardly prompted the kind of national security discourses the Sony case has generated. Indeed, the earlier disclosure of sensitive emails from the Sony IT breach did not result in discussions of national threat. Certainly, the more international and public elements of the situation suggest greater basis for making a national security claim. And yet, the appearances are deceptive. The Obama Administration specifically downplayed the possible threat to cinemas, with the Department of Homeland Security indicating there was no credible threat to cinemas or theatregoers. The cancelation of the film is certainly costly, but most of the cost is born by Sony (to the tune of tens of millions of dollars). To that end, the IT breach is not any different from other corporate IT breaches where customer information has been compromised. The North Korean element is certainly substantive, but not altogether unique.
What the shift in discourse reveals is the socially constructed nature of threat. The public costs of the Sony IT breach are economically smaller than in other breaches, and the linkage to external state is not unique to the Sony case. So materially, there is little that obviously qualifies the Sony IT breach as a national security issue, much less something that calls for US government retaliation. The discursive shift regarding the national security ‘threat’ posed by the Sony incident highlights the utility of securitization theory for thinking about the issue of cyber security. Specifically, securitization theory directs our attention to how political actors are seeking to reconstruct the Sony IT breach in ways that justify extraordinary measures, in this case the US government risking conflict escalation with a isolated, reactive, and militarized regime in North Korea on behalf of a private economic/corporate entity. Notably, since the cancellation of the film discourses have highlighted core elements of American political identity, specifically the right to freedom of expression, as the basis of the security claim. This discursive shift suggests a societal boundary with respect to information technology issues in the United States between a private concern (Sony breach before film cancellation) and a public security matter.
Securitization also draws our attention to the political effects of security, and a consequence the costs of security. Who benefits from or is empowered by treating IT issues as security issues? What consequences arise from making IT security a national security matter? How can the state possibly mandate security measures for an issue that interweaves throughout the economy? What kinds of instabilities are created by involving states as security actors in the cyber realm with the strong potential of militarization? Certainly weak states will seek to take advantage of the asymmetric opportunities of global information technology, but the question of responsibility and countermeasures remains an open one for the most powerful and developed states in the system and whether those should lie with the state. Specifically, in past nonsecuritized (from the standpoint of the state) IT breaches, the responsibility and the cost were assumed to lie with the victimized corporation. Securitization shifts that responsibility and cost to the state.
I have long been a skeptic of the concept of cyber security as such, and for me securitization theory opens up an analytical space for critically interrogating the concept of cyber security, the process by which information technology issues are transformed into security, as well as the political and social effects of terming information technology as security.
**Thanks to Dave McCourt for helpful comments on this post!
For securitization experts, where does the social construction end? Certainly, within the framing of your post, there seems to be a well demarcated set of actors, discourses, and social processes to consider in terms of speech acts, interests, and meaning. To me, it falls prey to some of the domain critiques that come up in a somewhat different constructivist context — the problems Zefus presented of Wendt’s claims of innocence in picking a domain (that is, one picks an object to study like states and it’s a theoretically informed choice that is not part of the social construction one is study). In your case, the post (and the existing discussion on mainstream US media) plucks a corporation out of one social field (economics), places it into another (geopolitics), and then discusses the problem of the guest (and their nubile expectations and horrors for their new found security context). One of the main things that this misses is the broader context of economics, government, and the internet — especially the type of violence Sony through its proxy (the MPAA) and its allies (the RIAA) have enacted through draconian US regulations. There seems to be a linkage that should be made and not dismissed simply because of the silence on the issue in elite discussions that should broaden out the meaning of this film’s nonrelease beyond geopolitics.