Yesterday, a short piece by Jan Silomon and myself went up on E-IR – accessible here. Here I offer some of my own thoughts on the article and hopefully some interpretations that I would like to be taken away and discussed further – on dehumanisation below life, the role of attribution and ‘quasi-state’ actors in cyber-attacks, and ultimately attempt to tread a ‘postcolonial’ security studies that sees this event as central to our understanding of cybersecurity.
As ever with writing, this was a much more complex piece than both of us imagined it would initially be – and was meant to be a ‘quick’ response to the events that happened in May 2019. In this piece, I’ll move into the singular ‘I’ to discuss the article as this is very much my interpretation and cannot be attributed to both of us.
After the posting of this tweet, it seemed to ring so strongly what has happened elsewhere with the gamification (and trivialisation) of warfare. However, this had some a much more distinctive edge compared to other ‘conventional’ responses. First, was the connection to malware, and second, that it is *exceptionally* unusual to see a kinetic response to a cyber-attack (at least one that has been publicly attributed).
For me, that is what was exceptional – and this is what the short article tried to navigate. In particular, I express a serious worry over the pathologisation of Hamas as malware (regardless of their actions) – which informs a dehumanisation of certain bodies to a plane of abstraction through computer code that can easily be ‘wiped’ clean. It is also perhaps an ‘interesting’ play from the IDF on how malware was perhaps used by Hamas (in what we can only call an alleged attack). It was Jan(tje) who most clearly picked up on this, and I was happy to explore this side in greater detail. However, this abstraction to malware or other nonhuman ‘things’ is a common trope to try and dehumanise the other throughout (post)colonial thought (and indeed racist thought) – as ‘rabid’ or animalistic. As we say in the article, this is unlikely to be intentional. But for me, comparisons to malware reduce even further the dehumanisation – to something below life itself. Something that can be ‘created’ by humans and thus easily ‘deleted’ and rendered easily disposable. I think this is a concerning movement in how cybersecurity and cyberattacks fit into the broader spheres of security and rational for attacks. This is something that is very much under-explored and requires much more thought and conceptualisation (and indeed is something I would like to pick up on further in something I am organising with others in Gießen, Germany next year).
Then there are the more ‘conventional’ IR concerns on the development of norms and trying to theorise how ‘kinetic’ responses occur in response to cyber-attacks. The IDF’s attack against Hamas’ ‘CyberHQ’ was indeed the second-only confirmed kinetic response to a cyber-attack that we know of. This does raise further questions (that I hope others will explore) around why these have both been against what we call ‘quasi-state’ actors that control an extent of territory (which I think is a core part of the story), and then what this means for the broader conceptualisation of how one justifies such an attack and what evidence (or not, in this case) is required. As the recent release of the French government’s strategy indicates, they do not have to explicitly set out nor publish their levels of attribution before launching a (non)kinetic response. This means that if attacks do happen (as they will almost inevitably do so in the future), there is likely to be some ‘public’ justification which arriving through Twitter or other media. As our ‘case’ shows, this may rely on gamified language itself, as a way to obscure technical details and strategic purpose. This is a dangerous path to follow – as this is likely to lead to further strategies to dehumanise or render ‘others’ as permissible to kill or injure. These are only thoughts now – but may become important parts of a state’s ‘arsenal’ with regard to cyber ‘kinetic’ responses. Thus, these ‘quasi-state’ actors, that are unlikely to have a de facto state in ‘control’, means that as symmetric ‘kinetic’ responses are far less likely to occur, they have become inadvertent ‘test-beds’ for such action. The lack of response to the IDF’s tweet is perhaps part of this – in its ‘ordinariness’ – that means that this becomes part of a ‘new’ normal, and is one of the reasons why I wanted to write the article.
As in any co-authored piece there are compromises. One that didn’t make a final cut was a core issue of Eurocentrism in (cyber)security – that has been raised by many ‘postcolonial’ scholars such as Barkawi and Laffey (2006). That is, those in non-European contexts have been seen as peripheral to the ‘core’ concerns of security. That is, places such as Gaza are seen as peripheral to ‘true’ security concerns. In this short article, I hope (though perhaps unsuccessfully) that we have reorientated at least partially this centre, where we see that this conflict as central to understanding contemporary cybersecurity and international relations. I don’t think we can cast it off as some form of ‘other’ case that is not central to global (in)securities. Indeed, this is not simply a case of the ‘Israel-Palestine’ conflict (though this is an essential basis). The IDF’s tweet opens up a door to understand the politics and powers at play (between Hamas and the IDF) that are differential, to permit an understanding of the justificatory mechanisms for cyber-attacks and how Twitter and air-strikes may be used in the future elsewhere.