Hostname: page-component-cd9895bd7-jkksz Total loading time: 0 Render date: 2024-12-26T20:06:02.295Z Has data issue: false hasContentIssue false

The ontological politics of cyber security: Emerging agencies, actors, sites, and spaces

Published online by Cambridge University Press:  02 September 2020

Tobias Liebetrau*
Affiliation:
Centre for Military Studies, Department of Political Science, University of Copenhagen, Denmark
Kristoffer Kjærgaard Christensen
Affiliation:
Department of Political Science, University of Copenhagen, Denmark
*
*Corresponding author. Email: [email protected]

Abstract

In this article, we show how Annemarie Mol's notion of ontological politics helps to open up the research agenda for cyber security in Critical Security Studies. The article hence seeks to further the debate about STS and Critical Security Studies. The article's main claim is that the concept of ontological politics enables an engagement with the complex and transformative dynamics of ICT and the new security actors and practices that shape security politics in the digital age. By examining the virulent attacks executed by the Mirai botnet – one of the world's largest, fiercest, and most enduring botnets – we point to four aspects of cyber security that attention to the ontological politics of cyber security attunes us to: the proliferation and entanglement of security agencies, actors, sites, and spaces. These aspects of cyber security, we argue, are becoming increasingly prominent alongside the development of the Internet of Things (IoT) and 5G network technology. In conclusion, we discuss the wider security theoretical and normative-democratic implications of an engagement with the ontological politics of security by exploring three avenues for additional conversation between ontological politics and Critical Security Studies.

Type
Research Article
Copyright
Copyright © The Author(s), 2020. Published by Cambridge University Press on behalf of the British International Studies Association

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

1 Undeniably, cyber threats and risks are presented as some of the most pressing security issues confronting contemporary societies. In 2018 the cyber threat was once again ranked among the biggest threats in the World Wide Threat Assessment of the US Intelligence Community (Daniel R. Coats, ‘Statement for the Record: Worldwide Threat Assessment of the US Intelligence Community’ (Washington, DC: Office of the Director of National Intelligence, 23 May 2017); Along the same lines, President of the European Commission Jean-Claude Juncker stated in his 2017 State of the Union Address that ‘Cyber-attacks can be more dangerous to the stability of democracies and economies than guns and tanks.’ Jean-Claude Juncker, ‘President Jean-Claude Juncker's State of the Union Address 2017’, European Commission (13 September 2017).

2 Balzacq, Thierry and Cavelty, Myriam Dunn, ‘A theory of actor-network for cyber-security’, European Journal of International Security, 1:2 (2016), pp. 176–98CrossRefGoogle Scholar.

3 Stevens, Tim, Cyber Security and the Politics of Time (Cambridge: Cambridge University Press, 2016)Google Scholar.

4 Carr, Madeline, ‘Public-private partnerships in national cyber-security strategies’, International Affairs, 92:1 (2016), pp. 4362CrossRefGoogle Scholar; Christensen, Kristoffer Kjærgaard and Liebetrau, Tobias, ‘A new role for “the public”? Exploring cyber security controversies in the case of WannaCry’, Intelligence and National Security, 34:3 (2019), pp. 395408CrossRefGoogle Scholar.

5 Mol, Annemarie, ‘Ontological politics: A word and some questions’, The Sociological Review, 47:S1 (1 May 1999), pp. 7489CrossRefGoogle Scholar.

6 For engagement with the technologisation of security see, for example, Amicelle, Antoine, Aradau, Claudia, and Jeandesboz, Jean, ‘Questioning security devices: Performativity, resistance, politics’, Security Dialogue, 46:4 (2015), pp. 293306Google Scholar; Ceyhan, Ayse, ‘Technologization of security: Management of uncertainty and risk in the age of bio metrics’, Surveillance & Society, 5:2 (2002), pp. 122CrossRefGoogle Scholar; Amoore, Lousie, The Politics of Possibility: Risk and Security beyond Probability (Durham, NC and London: Duke University Press, 2013)Google Scholar; Aradau, Claudia and Blanke, Tobias, ‘Governing others: Anomaly and the algorithmic subject of security’, European Journal of International Security, 3:1 (2018), pp. 121CrossRefGoogle Scholar; Bigo, Didier, ‘The (in)securitization practices of the three universes of EU border control: Military/navy–border guards/police–database analysts’, Security Dialogue, 45:3 (2014), pp. 209–25CrossRefGoogle Scholar; Huysmans, Jef, Security Unbound: Enacting Democratic Limits (London and New York: Routledge, Taylor & Francis Group 2014)CrossRefGoogle Scholar; and Linda Monsees, ‘Public relations: Theorizing the contestation of security technology’, Security Dialogue (2019), pp. 1–16.

7 Bauman, Zygmunt et al. , ‘After Snowden: Rethinking the impact of surveillance’, International Political Sociology, 8:2 (2014), p. 124CrossRefGoogle Scholar; Goede, M. De, ‘Afterword: Transversal politics’, in Guillaume, X. and Bilgin, P. (eds), Handbook of International Political Sociology (London and New York: Routledge, 2017), pp. 353–65Google Scholar.

8 Cavelty, Myriam Dunn, ‘Cybersecurity research meets science and technology studies’, Politics and Governance, 6:2 (2018), p. 28Google Scholar.

9 A botnet consists of one or more networks of infected computers/devices. Botnets are often controlled remotely by someone, usually referred to as a ‘botherder’, to perform specific functions, such as destributed denial-of-service attacks (DDoS attacks), often without the knowledge of the owners of the infected computers/devices.

10 An argument often associated with security practices that are said to empower bureaucracies and everyday professionals and/or invoke a technocratic security logic. See Amicelle, Aradau, and Jeandesboz, ‘Questioning security devices’; Bigo, ‘The (in)securitization practices of the three universes of EU border control’; Huysmans, Security Unbound; Monsees, Linda, Crypto-politics: Encryption and Democratic Practices in the Digital Era (London and New York, Routledge, 2020)Google Scholar.

11 Schouten, Peer, ‘Security as controversy: Reassembling security at Amsterdam airport’, Security Dialogue, 45:1 (2014), p. 27CrossRefGoogle Scholar.

12 For related observations in Critical Security Studies, see ibid., pp. 23–42; Rothe, Delf, ‘Seeing like a satellite: Remote sensing and the ontological politics of environmental security’, Security Dialogue, 48:4 (2017), pp. 334–53CrossRefGoogle Scholar and Elbe, Stefan and Buckland-Merret, Gemma, ‘Entangled security: Science, co-production, and intra-active insecurity’, European Journal of International Security, 4:2 (2019), pp. 123–41CrossRefGoogle Scholar.

13 Already around the turn of the millennium, Ronald Deibert, a central figure in the critical academic study of the intersection between ICT and international relations (including cyber security), forcefully argued for the need to include the role that ICT and its material properties play in shaping these issues when theorising cyber security. However, as Deibert himself moved on to pursue more empirical and problem-oriented work as the Director of the Citizen Lab at the University of Toronto, largely abstaining from theorisation of socio-technical dynamics, eclipsed this line of thinking in the critical literature for a while.

14 Balzacq and Cavelty, ‘A theory of actor-network for cyber-security’.

15 Cavelty, ‘Cybersecurity research meets science and technology studies’; Christensen and Liebetrau, ‘A new role for “the public”’.

16 Collier, Jamie, ‘Cyber security assemblages: A framework for understanding the dynamic and contested nature of security provision’, Politics and Governance, 6:2 (2018)CrossRefGoogle Scholar; Simon, Stephanie and Goede, Marieke de, ‘Cybersecurity, bureaucratic vitalism and European emergency’, Theory, Culture and Society, 32:2 (2015), pp. 79106CrossRefGoogle Scholar.

17 Balzacq and Cavelty, ‘A theory of actor-network for cyber-security’.

18 Ibid., p. 178; See also the special issue of Politics and Governance, 6:2 (2018) on ‘Global cybersecurity: new direction in theory and methods’.

19 Huysmans, Jef, ‘What's in an act? On security speech acts and little security nothings’, Security Dialogue, 42:4–5 (2011), p. 377CrossRefGoogle Scholar.

20 Huysmans, Jef, ‘Democratic curiosity in times of surveillance’, European Journal of International Security, 1:1 (2016), p. 92CrossRefGoogle Scholar.

21 Schouten, ‘Security as controversy’, p. 27.

22 Barry, Andrew, ‘The translation zone: Between actor-network theory and international relations’, Millennium: Journal of International Studies, 41:3 (2013), p. 418Google Scholar; Mol, Annemarie, ‘Actor-network theory: Sensitive terms and enduring tensions’, Kölner Zeitschrift Für Soziologie Und Sozialpsychologie, 50:1 (2010), pp. 253–69Google Scholar.

23 Joronen, Mikko and Häkli, Jouni, ‘Politicizing ontology’, Progress in Human Geography, 41:5 (2017), pp. 561–79CrossRefGoogle Scholar.

24 Cavelty, ‘Cybersecurity research meets science and technology studies’, p. 28.

25 Commonly known as one of the largest and most disruptive distributed denial of service (DDoS) attacks hitherto.

26 Stevens, Tim, ‘Global cybersecurity: New directions in theory and methods’, Politics and Governance, 6:2 (2018), pp. 14CrossRefGoogle Scholar.

27 Bendrath, Ralf, Eriksson, Johan, and Giacomello, Giampiero, ‘From “cyberterrorism” to “cyberwar”, back and forth: How the United States securitized cyberspace’, in Eriksson, Johan and Giacomello, Giampiero (eds), International Relations and Security in the Digital Age (London: Routledge, 2007), pp. 5782Google Scholar; Cavelty, Myriam Dunn, ‘Cyber-terror: Looming threat or phantom menace? The framing of the US cyber-threat debate’, Journal of Information Technology & Politics, 4:1 (2007), pp. 1936CrossRefGoogle Scholar; Cavelty, Myriam Dunn, Cyber-Security and Threat Politics: US Efforts to Secure the Information Age (London: Routledge, 2008)Google Scholar; Eriksson, Johan, ‘Cyberplagues, IT, and security: Threat politics in the information age’, Journal of Contingencies and Crisis Management, 9:4 (2001), pp. 200–10CrossRefGoogle Scholar; Hansen, Lene and Nissenbaum, Helen, ‘Digital disaster, cyber security, and the Copenhagen School’, International Studies Quarterly, 53:4 (2009), pp. 1155–75CrossRefGoogle Scholar; Lawson, Sean, ‘Beyond cyber-doom: Assessing the limits of hypothetical scenarios in the framing of cyber-threats’, Journal of Information Technology & Politics, 10:1 (2013), pp. 86103CrossRefGoogle Scholar.

28 The conventional scholarly literature on cyber security tends to be either policy-oriented and problem-solving or centred around conventional debates of power, warfare, and strategic thinking. For examples of the latter, which have emerged out of strategic studies, see, for example, Betz, David J. and Stevens, Tim, Cyberspace and the State: Toward a Strategy for Cyber-Power (London: IISS, The International Institute for Strategic Studies, 2011)Google Scholar; Farwell, James P. and Rohozinski, Rafal, ‘Stuxnet and the future of cyber war’, Survival, 53:1 (2011), pp. 2340CrossRefGoogle Scholar; Farwell, James P. and Rohozinski, Rafal, ‘The new reality of cyber war’, Survival, 54:4 (2012), pp. 107–20CrossRefGoogle Scholar; Libicki, Martin C., Conquest in Cyberspace, National Security and Information Warfare (Cambridge: Cambridge University Press, 2007)CrossRefGoogle Scholar; Libicki, Martin C., Cyberdeterrence and Cyberwar (Santa Monica: Rand Corporation, 2009)Google Scholar; Rid, Thomas, Cyber War Will Not Take Place (London: Hurst, 2013)Google Scholar; Valeriano, Brandon and Maness, Ryan C., Cyber War versus Cyber Realities: Cyber Conflict in the International System (Oxford: Oxford University Press, 2015)CrossRefGoogle Scholar.

29 Betz, David J. and Stevens, Tim, ‘Analogical reasoning and cyber security’, Security Dialogue, 44:2 (2013), pp. 147–64CrossRefGoogle Scholar; Cavelty, Myriam Dunn, ‘From cyber-bombs to political fallout: Threat representations with an impact in the cyber-security discourse’, International Studies Review, 15:1 (2013), pp. 105–22CrossRefGoogle Scholar; Lawson, Sean, ‘Putting the “war” in cyberwar: Metaphor, analogy, and cybersecurity discourse in the United States’, First Monday, 17:7 (2012)CrossRefGoogle Scholar.

30 Bonelli, Laurent and Ragazzi, Francesco, ‘Low-tech security: Files, notes, and memos as technologies of anticipation’, Security Dialogue, 45:5 (2014), pp. 476–93CrossRefGoogle Scholar.

31 This critique is indeed also raised against securitisation theory as such. It relates to the critique regarding staticity/fixation that has been raised against the Copenhagen School framework as such. See, for example, Huysmans, ‘What's in an act?’ and Gad, Ulrik Pram and Petersen, Karen Lund, ‘Concepts of politics in securitization studies’, Security Dialogue, 42:4–5 (2011), p. 319Google Scholar. In a recent contribution, Lise Philipsen nicely sums up this critique of the theory: ‘a specific logic must be used and this must be done from a position of historically contingent authority. The theory is, so to speak, fixed both from the inside (the logic) and the outside (the context)’. See Lise Philipsen, ‘Performative securitization: From conditions of success to conditions of possibility’, Journal of International Relations and Development (2018), pp. 1–25.

32 Hansen and Nissenbaum, ‘Digital disaster, cyber security, and the Copenhagen School’.

33 Eriksson, ‘Cyberplagues, IT, and security’.

34 Cavelty, ‘From cyber-bombs to political fallout', p. 106.

35 Ibid., p. 118.

36 Hansen and Nissenbaum, ‘Digital disaster, cyber security, and the Copenhagen School’, p. 1166.

38 Cavelty, ‘From cyber-bombs to political fallout’, p. 107.

39 Bendrath, Eriksson, and Giacomello, ‘From “cyberterrorism” to “cyberwar”, back and forth’, p. 61.

40 Hansen and Nissenbaum, ‘Digital disaster, cyber security, and the Copenhagen School’, pp. 1167–8.

41 This is further underlined, as Hansen and Nissenbaum state that they break with Ronald Deibert's claims regarding the importance of materiality and technology outside of sole discourse. See Hansen and Nissenbaum, ‘Digital disaster, cyber security, and the Copenhagen School’, p. 1162, fn. 6.

42 Balzacq and Cavelty, ‘A theory of actor-network for cyber-security’, p. 179.

43 For an overview of the engagement with the technologisation of security, see fn. 6.

44 Collier, ‘Cyber security assemblages’, p. 15.

45 Mol, ‘Ontological politics'; Annemarie Mol, The Body Multiple: Ontology in Medical Practice (Durham, NC and London: Duke University Press, 2002).

46 Aradau, Claudia and Huysmans, Jef, ‘Critical methods in International Relations: The politics of techniques, devices and acts’, European Journal of International Relations, 20:3 (2014), pp. 596619CrossRefGoogle Scholar; Gad, Christopher, Jensen, Casper Bruun, and Winthereik, Brit Ross, ‘Practical ontology: Words in STS and anthropology’, NatureCulture, 3:10 (2015), pp. 6786Google Scholar; Haraway, Donna J., Simians, Cyborgs and Women: The Reinvention of Nature (London: Free Association, 1991)Google Scholar; Jasanoff, Sheila, ‘Afterword’, in Jasanoff, Sheila (ed.), States of Knowledge: The Co-Production of Social Order (London: Routledge, 2004), pp. 274–82CrossRefGoogle Scholar; Law, John, After Method: Mess in Social Science Research (London and New York: Routledge, 2004)CrossRefGoogle Scholar.

47 Within IR and Critical Security Studies, broadly speaking, similar traits and tendencies can be found in the burgeoning interest in importing insights from Science and Technology Studies (STS), and especially actor-network theory (ANT) and assemblage thinking, as part of what some scholars have called the ‘material turn’ or ‘new materialism’. See, for example, Acuto, Michele and Curtis, Simon (eds), Reassembling International Theory: Assemblage Thinking and International Relations (Basingstoke and New York: Palgrave Pivot, 2014)CrossRefGoogle Scholar; Aradau, Claudia, ‘Security that matters: Critical infrastructure and objects of protection’, Security Dialogue, 41:5 (2010), pp. 491514CrossRefGoogle Scholar; Barry, ‘The translation zone'; Bueger, Christian, ‘Territory, authority, expertise: Global governance and the counter-piracy assemblage’, European Journal of International Relations, 24:3 (2018), pp. 614–37CrossRefGoogle Scholar; Salter, Mark B. (ed.), Making Things International, 1: Circuits and Motion (Minneapolis and London: University of Minnesota Press, 2015)Google Scholar; Salter, Mark B. (ed.), Making Things International, 2: Catalysts and Reactions (Minneapolis and London: University of Minnesota Press, 2016)Google Scholar.

48 Mol, ‘Ontological politics’; Mol, The Body Multiple; Marres, Noortje, ‘Why political ontology must be experimentalized: On eco-show homes as devices of participation’, Social Studies of Science, 43:3 (2013), pp. 417–43CrossRefGoogle Scholar; Winthereik, Brit Ross, ‘Den ontologiske vending i antropologi og Science and Technology Studies’, STS Encounters: Research Papers from DASTS, 7:2 (2015), pp. 132Google Scholar; Woolgar, Steve and Lezaun, Javier, ‘The wrong bin bag: A turn to ontology in Science and Technology Studies?’, Social Studies of Science, 43:3 (1 June 2013), pp. 321–40CrossRefGoogle Scholar.

49 Woolgar and Lezaun, ‘The wrong bin bag’, p. 323.

50 Marisol de la Cadena, ‘The politics of modern politics meets ethnographies of excess through ontological openings’, Cultural Anthropology (2014); Lien, Marianne Elisabeth, Becoming Salmon (Oakland: University of California Press, 2015)CrossRefGoogle Scholar.

51 Aradau, Claudia et al. (eds), Critical Security Methods: New Frameworks for Analysis (Abingdon and New York: Routledge, 2015)Google Scholar; Marres, ‘Why political ontology must be experimentalized'.

52 Cavelty, ‘Cybersecurity research meets science and technology studies’; Christensen and Liebetrau, ‘A new role for “the public”’.

53 Schouten, ‘Security as controversy'.

54 Mol, The Body Multiple, p. 6

55 Mol, The Body Multiple; Law, John, ‘Actor Network Theory and material semiotics’, in Turner, Bryan S. (ed.), The New Blackwell Companion to Social Theory (Chichester and Malden, MA: Wiley-Blackwell, 2009), pp. 141–58CrossRefGoogle Scholar.

56 Moser, Ingunn, ‘Making Alzheimer's disease matter: Enacting, interfering and doing politics of nature’, Geoforum, 39:1 (2008), p. 99CrossRefGoogle Scholar.

57 Latour, Bruno, Reassembling The Social: An Introduction to Actor-Network-Theory (Oxford: Oxford University Press, 2005)Google Scholar.

58 Moser, ‘Making Alzheimer's disease matter’, p. 99.

59 Barry, Andrew, ‘The anti-political economy’, Economy and Society, 31:2 (2002), pp. 268–84CrossRefGoogle Scholar; Barry, ‘The translation zone’, p. 7; Rothe, ‘Seeing like a satellite’, p. 337; Schouten, ‘Security as controversy’, p. 37.

60 Amicelle, Aradau, and Jean Jeandesboz, ‘Questioning security devices’, p. 297.

61 Mol, The Body Multiple, p. 54.

62 Balzacq and Cavelty, ‘A theory of actor-network for cyber-security’; Deibert, Ron J., Parchment, Printing, and Hypermedia (New York: Columbia University Press, 1997)Google Scholar; Deibert, Ron J., ‘Black Code: Censorship, surveillance, and the militarisation of cyberspace’, Millennium: Journal of International Studies, 32:3 (2003) pp. 501–30CrossRefGoogle Scholar; van der Wagen, Wytske and Pieters, Wolter, ‘From cybercrime to cyborg crime: Botnets as hybrid criminal actor-networks’, British Journal of Criminology, 55:3 (2015), pp. 578–95CrossRefGoogle Scholar.

63 Winner, Langdon, ‘Do artifacts have politics?’, Daedalus, 109:1 (1980), pp. 121–36Google Scholar.

64 Barry, Andrew, Political Machines: Governing a Technological Society (London and New York: The Athlone Press, 2001)Google Scholar; Jasanoff, Sheila (ed.), States of Knowledge: The Co-Production of Social Order (London: Routledge, 2004)CrossRefGoogle Scholar; Mareile Kaufmann and Julien Jeandesboz, ‘Politics and “the digital”: From singularity to specificity’, European Journal of Social Theory (2016), pp. 1–20.

65 Mol, The Body Multiple, p. 55.

66 Allen, John, ‘Powerful assemblages?’, Area, 43:2 (June 2011), p. 154CrossRefGoogle Scholar

67 Monsees, Crypto-politics; Schouten, ‘Security as controversy’; Walters, William, ‘Drone strikes, dingpolitik and beyond: Furthering the debate on materiality and security’, Security Dialogue, 45:2 (2014)CrossRefGoogle Scholar.

68 Mol, ‘Ontological politics'.

69 Mol, Annemarie and Law, John, ‘Complexities: An introduction’, in Law, John and Mol, Annemarie (eds), Complexities: Social Studies of Knowledge Practices (Durham, NC and London: Duke University Press, 2002), p. 1Google Scholar.

70 Lien, Becoming Salmon, p. 5.

71 Rahman, Arafatur and Asyhari, A. Taufiq, ‘The emergence of Internet of things (IoT): Connecting anything, anywhere’, Computers, 8:40 (2019), pp. 14CrossRefGoogle Scholar; Maras, Marie-Helen and Wandt, Adam Scott, ‘Enabling mass surveillance: Data aggregation in the age of big data and the Internet of Things’, Journal of Cyber Policy, 4:2 (2019), pp. 160–77CrossRefGoogle Scholar.

72 Pierre-Antoine Vervier and Yun Shen, ‘Before toasters rise up: A view into the emerging IoT threat landscape’, in M. Bailey, T. Holz, M. Stamatogiannakis, and S. Ioannidis (eds), Research in Attacks, Intrusions, and Defenses (21st International Symposium, RAID, Heraklion, Crete, September 2018), pp. 556–76.

73 Manos Antonakakis et al., ‘Understanding the Mirai Botnet’, in ‘Proceedings of the 26th USENIX Security Symposium’, Vancouver, BC, Canada, 16–18 August 2017, pp. 1093–10.

74 Vervier and Shen, ‘Before toasters rise up’, p. 556.

75 McAfee Labs Threats Report (April 2017), p. 31.

76 Brian Krebs, ‘Krebs on security hit with record DDoS’, Krebs on Security, available at: {https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/} accessed 29 August 2019.

77 Scott and Spaniel, ‘Rise of the Machines: The Dyn Attack Was Just a Practice Run’ (2016), p. 4.

78 At its peak, the Dyn attack generated 1.2 Tbps of traffic, rendering websites such as Amazon, Twitter, and PayPal inaccessible. McAfee Labs Threats Report, p. 2; Kate Conger, ‘The Mirai Botnet's Internet takedown opens up a new market for attackers and defenders’, TechCrunch, available at: {https://techcrunch.com/2016/10/25/the-mirai-botnets-internet-takedown-opens-up-a-new-market-for-attackers-and-defenders/} accessed 29 August 2019.

79 For an in-depth engagement with security, temporality, and the event, see Lundborg, Tom, Politics of the Event: Time, Movement, Becoming (Abingdon and New York: Routledge 2012)CrossRefGoogle Scholar and Stevens, Cyber Security and the Politics of Time.

80 Deseriis, Marco, ‘Hacktivism: On the use of botnets in cyberattacks’, Theory, Culture & Society, 34:4 (2017), pp. 131–52CrossRefGoogle Scholar.

81 van der Wagen and Pieters, ‘From cybercrime to cyborg crime’, p. 579.

82 Jane Bennet, Vibrant Matter: A Political Ecology of Things (Durham, NC and London: Duke University Press 2009).

83 Balzacq and Cavelty, ‘A theory of actor-network for cyber-security’; Kaufmann and Jeandesboz, ‘Politics and “the digital”'.

84 Balzacq and Cavelty, ‘A theory of actor-network for cyber-security’.

85 In 2016 approximately 17 billion IoT devices were connected to the Internet. By 2019 that figure has risen to approximately 25 billion. Statista, ‘Internet of Things (IoT) Connected Devices Installed Base Worldwide from 2015 to 2025 (in Billions)’, available at: {https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/accessed 29 August 2019}.

86 The Mirai botnet embed a decentralised peer-to-peer architecture that turns every bot into a server that can handle instructions to other bots.

87 See fn. 9 for definition of botherder.

88 Tara Seals, ‘Mirai botnet sees big 2019 growth, shifts focus to enterprises’, Threatpost, available at: {https://threatpost.com/mirai-botnet-sees-big-2019-growth-shifts-focus-to-enterprises/146547/} accessed 6 January 2020.

89 van der Wagen and Pieters, ‘From cybercrime to cyborg crime’, p. 588.

90 Pickering, Andrew, The Mangle of Practice: Time, Agency, and Science (Chicago: The University of Chicago Press 1995)CrossRefGoogle Scholar and Bourne, Mike, Johnson, Heather, and Lisle, Debbie, ‘Laboratizing the border: The production, translation and anticipation of security technologies’, Security Dialogue, 46:4 (2015), pp. 307–25CrossRefGoogle Scholar.

91 Pickering, The Mangle of Practice, p. 22.

92 Mol, The Body Multiple, pp. 81–2.

93 Tara Seals, ‘Mirai botnet sees big 2019 growth, shifts focus to enterprises’, Threatpost, available at: {https://threatpost.com/mirai-botnet-sees-big-2019-growth-shifts-focus-to-enterprises/146547/} accessed 6 January 2020.

94 Tara Seals, ‘Mirai botnet sees big 2019 growth, shifts focus to enterprises’, Threatpost, available at: {https://threatpost.com/mirai-botnet-sees-big-2019-growth-shifts-focus-to-enterprises/146547/} accessed 6 January 2020; Charles DeBeck, ‘I can't believe Mirais: Tracking the infamoua IoT malware’, SecurityIntelligence, available at: {https://securityintelligence.com/posts/i-cant-believe-mirais-tracking-the-infamous-iot-malware-2/} accessed 6 January 2020

95 Bennet, Jane, ‘The agency of assemblages and the North American blackout’, Public Culture, 17:3 (2005), p. 447Google Scholar.

96 Scott and Spaniel, ‘Rise of the Machines'; McAfee Labs Threats Report.

97 The highest densities of infected devices were in Vietnam, Brazil, the United States, China, and Mexico. Scott and Spaniel, ‘Rise of the Machines'.

98 Simon and de Goede, ‘Cybersecurity, bureaucratic vitalism and European emergency’, p. 80.

99 Balzacq and Cavelty, ‘A theory of actor-network for cyber-security’, p. 188.

100 Latour, Bruno, Politics of Nature: How to Bring the Sciences into Democracy (Cambridge, MA: Harvard University Press 2004), p. 75Google Scholar.

101 Bennett, ‘The agency of assemblages and the North American blackout’, p. 457.

102 Law, ‘Actor Network Theory and material semiotics’; Mol, ‘Ontological politics’.

103 Mol and Law, ‘Complexities’, p. 1.

104 Aradau et al. (eds), Critical Security Methods, p. 78; Bennet, ‘The agency of assemblages and the North American blackout’; Bennett, Vibrant Matter.

105 See, for example, Huysmans, ‘What's in an act?’; Walker, R. B. J., The Subject of Security in Critical Security Studies: Concepts and Cases, ed. Krause, Keith and Williams, Michael C. (Minneapolis: University of Minnesota Press, 1997)Google Scholar. Rather, cyber security practices involve ‘actors who are different in power and kind (state, corporate, group, individual) and connected nodally through networks rather than hierarchically through states’. Derian, James Der, Virtuous War: Mapping the Military-Industrial-Media-Entertainment-Network, 2nd edn (New York and London: Routledge, 2009), p. 209CrossRefGoogle Scholar.

106 Barry, Andrew, ‘Political situations: Knowledge controversies in transnational governance’, Critical Policy Studies, 6:3 (2012), pp. 324–36CrossRefGoogle Scholar.

107 On responsibilisation see, for example, Petersen, Karen Lund, Corporate Risk and National Security Redefined (London: Routledge, 2012)CrossRefGoogle Scholar; Petersen, Karen Lund and Tjalve, Vibeke Schou, ‘(Neo)republican security governance? US homeland security and the politics of “shared responsibility”’, International Political Sociology, 7:1 (2013), pp. 118CrossRefGoogle Scholar; Tobias Liebetrau, ‘EU Cybersecurity Governance: Redefining the Role of the Internal Market (PhD dissertation, University of Copenhagen, 2019).

108 Carr, ‘Public-private partnerships in national cyber-security strategies’; Cavelty, M. D. and Suter, M., ‘Public-private partnerships are no silver bullet: An expanded governance model for critical infrastructure protection', International Journal of Critical Infrastructure Protection, 2:4 (2009), pp. 179–87CrossRefGoogle Scholar; Christensen, Kristoffer K. and Petersen, Karen L., ‘Public-private partnerships on cyber security: A practice of loyalty’, International Affairs, 93:6 (2017), pp. 1435–52CrossRefGoogle Scholar.

109 Brad Smith, ‘The Need for Digital Geneva Convention’, Keynote address, RSA Conference, San Francisco, 2017.

110 Manos Antonakakis et al. ‘Understanding the Mirai Botnet’, p. 1093.

111 Brian Krebs, ‘Naming & shaming web polluters: Xiongmai’, Krebs on Security, available at: {https://krebsonsecurity.com/2018/10/naming-shaming-web-polluters-xiongmai/} accessed 29 August 2019; Brian Krebs, ‘Hacked cameras, DRV's powered today's massive Internet outage’, Krebs on Security, available at: {https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/} accessed 29 August 2019; Brian Krebs, ‘Who makes the IoT things under attack’, Krebs on Security, available at: {https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/} accessed 29 August 2019.

112 Manos Antonakakis et al., ‘Understanding the Mirai botnet’, p. 1094.

113 Ibid., p. 1100.

114 Christensen and Petersen, ‘Public–private partnerships on cyber security’; Christensen and Liebetrau, ‘A new role for “the public”?’; and Kristoffer Kjærgaard Christensen, ‘Corporate Zones of Cyber Security’ (PhD dissertation, University of Copenhagen, 2018) also explore the role of private companies beyond national security practices

115 Bruce Schneier, ‘We need to save the Internet from the Internet of Things’, Motherboard – Tech by Vice, available at: {https://motherboard.vice.com/en_us/article/ezpq3m/we-need-to-save-the-internet-from-the-internet-of-things} accessed 29 August 2019.

116 Cavelty, ‘From cyber-bombs to political fallout'; Hansen and Nissenbaum, ‘Digital disaster, cyber security, and the Copenhagen School’.

117 Dan Goodinn, ‘Creepy IoT Teddy Bear Leaks >2 million parents’ and kids’ voice messages’, Ars Technica, available at: {https://arstechnica.com/information-technology/2017/02/creepy-iot-teddy-bear-leaks-2-million-parents-and-kids-voice-messages/} accessed 29 August 2019; Joanna Stern, ‘The connected medicine cabinet: Bluetooth pregnancy test makes debut at CES 2016’, Wall Street Journal, available at: {https://www.wsj.com/articles/the-connected-medicine-cabinet-bluetooth-pregnancy-test-makes-debut-at-ces-2016-1452045541} accessed 29 August 2019.

118 Mol, ‘Ontological politics’, p. 74.

119 Ulrich Beck, World Risk Society (Cambridge: Polity, 1999).

120 Walters, William, Governmentality: Critical Encounters (London and New York: Routledge, 2012)CrossRefGoogle Scholar.

121 Law, John and Urry, John, ‘Enacting the social’, Economy and Society, 33:3 (2004), p. 404CrossRefGoogle Scholar.

122 Ibid., p. 396.

123 See, for example, Bigo, D., ‘The Möbius ribbon of internal and external security(ies)’, in Albert, M., Jacobson, D. and Lapid, Y. (eds), Identies, Borders, Orders: Rethinking International Relations Theory (Minneapolis: University of Minnesota Press, 2001), pp. 91116Google Scholar; Collective, CASE, ‘Critical Approaches to Security in Europe: A networked manifesto’, Security Dialogue, 37:4 (2006), pp. 443–87CrossRefGoogle Scholar; Huysmans, Jef, The Politics of Insecurity: Fear, Migration and Asylum in the EU (London: Routledge, 2006)CrossRefGoogle Scholar; Kaufmann and Jeandesboz, ‘Politics and “the digital”’; Neal, Andrew W., ‘Securitization and risk at the EU border: The origins of FRONTEX’, JCMS: Journal of Common Market Studies, 47 (2009), pp. 333–56Google Scholar; Wæver, Ole, ‘Politics, security, theory’, Security Dialogue, 42:4–5 (2011), pp. 465–80CrossRefGoogle Scholar.

124 Joronen, Mikko and Häkli, Jouni, ‘Politicizing ontology’, Progress in Human Geography, 41:5 (2017), pp. 561–79CrossRefGoogle Scholar.

125 Balzacq and Cavelty, ‘A theory of actor-network for cyber-security’.

126 Mol, ‘Ontological politics’, p. 82.

127 Schouten, ‘Security as controversy'; Walters, ‘Drone strikes, dingpolitik and beyond'; Rothe, ‘Seeing like a satellite'.

128 Buzan, Barry, Wæver, Ole, and de Wilde, Jaap, Security: A New Framework for Analysis (Boulder, CO: Lynne Rienner, 1998)Google Scholar; Wæver, Ole, ‘Securitization and desecuritization’, in Lipschutz, Ronnie D. (ed.), On Security (New York: Columbia University Press, 1995), pp. 4686Google Scholar.

129 Huysmans, The Politics of Insecurity; Petersen, Karen Lund, Corporate Risk and National Security Redefined (Abingdon and New York: Routledge, 2012)CrossRefGoogle Scholar.

130 Huysmans, ‘What's in an act?'.

131 Hansen and Nissenbaum, ‘Digital disaster, cyber security, and the Copenhagen School’.

132 See, for example, Amicelle, Aradau, and Jean Jeandesboz, ‘Questioning security devices’; Huysmans, ‘Critical methods in International Relations’, ch. 7; Monsees, ‘Public relations’.

133 Marres, Noortje, ‘On some uses and abuses of topology in the social analysis of technology (or the problem with smart meters)’, Theory, Culture & Society, 29:4/5 (2012), p. 305CrossRefGoogle Scholar.

134 Jef Huysmans, ‘Democratic curiosity in times of surveillance’.