Critical Studies on Security

ISSN: 2162-4887 (Print) 2162-4909 (Online) Journal homepage: https://www.tandfonline.com/loi/rcss20

The materiality of cyberthreats: securitization

logics in popular visual culture

Myriam Dunn Cavelty

To cite this article: Myriam Dunn Cavelty (2019): The materiality of cyberthreats: securitization
logics in popular visual culture, Critical Studies on Security, DOI: 10.1080/21624887.2019.1666632

To link to this article: https://doi.org/10.1080/21624887.2019.1666632

Published online: 25 Sep 2019.

Submit your article to this journal

Article views: 99

View related articles

View Crossmark data

Full Terms & Conditions of access and use can be found at

https://www.tandfonline.com/action/journalInformation?journalCode=rcss20
CRITICAL STUDIES ON SECURITY
https://doi.org/10.1080/21624887.2019.1666632

ARTICLE

The materiality of cyberthreats: securitization logics in popular

visual culture
Myriam Dunn Cavelty
Department of Humanities, Social and Political Sciences, Center for Security Studies, ETH Zürich, Zürich,
Switzerland

ABSTRACT KEYWORDS
Critical security studies literature has only recently begun to take into Cybersecurity; cyberthreats;
account the influence of material aspects in the field of cybersecurity. This material turn; popular visual
article traces securitization logics in popular visual culture to show how culture; securitization;
these representations make sense of technical incidents politically via security politics; visual
studies; visuality
material objects. Using a mix of discourse analysis and semiology, three
types of threat representations are identified, showing a shift from depict-
ing computers themselves as the main threat to the manipulation of data as
exercise of power and finally, the wielding of code as weapon to create
physical damage. Material objects define the space of engagement, being
both the threat and what is threatened. By destabilising old authority
structures, they pose questions about legitimate political alternatives in
a world where only a handful of technical geniuses have the power to
shape rules and take on the role of ‘the protector’.

Introduction
The frictionless operation of digital technologies is considered an essential foundation for prospering
economies and stable societies in many parts of the world. As a result, threat discourses focusing on
cyberincidents, understood as disruptions of these routine operations, have come to hold a prominent
position in (inter)national security. Whereas the cybersecurity discourse was characterised by
attempts to mobilise political and economic resources through future-oriented doomsday scenarios
in the late 1990s until the early 2000s (cf. Lawson 2013), it has taken a new turn in the last decade due
to a mounting number of what is generally considered strategically motivated cyberincidents.1
For some years, critical security studies literature has favoured the application of securitization
theory to cybersecurity issues, an approach that is biased towards studying speech acts of political
elites or more generally, written texts of an official nature (Huysmans 2011, also Hansen 2011). In
contrast, with the increase of actual incidents, material aspects of cybersecurity are coming into
focus, not least because such a crucial part of cyberthreats is inherently material: Many cyber-
operations are conducted with the help of malicious software, in short ‘malware’. Malware is
written to execute sequences of actions in machines, producing physical effects according to the
semantics of the instructions in the program. Without actual execution, ‘code is imperceptible in
the phenomenological sense of evading the human sensorium’ (Parikka 2010, 118). Cyberthreats
therefore become visible and explicable through their performance and in extension, their
material effects. At first, though, the effects of malware unfold inside a machine. To become
security politically relevant, these technical effects need to be put into a broader context and
connected to something of value considered at threat (which is often an object, cf. Burgess 2007;

CONTACT Myriam Dunn Cavelty [email protected]

© 2019 York University
2 M. DUNN CAVELTY

Aradau 2010). Between the initial effect of code in the machine and the succeeding political
reading thus lies a process of meaning-making, a securitization process during which some
technical incidents are turned into visible cybersecurity incidents with security politically rele-
vance and impact.
In theory-guided critical research on cyberthreats, this recent shift to material aspects has not yet
been sufficiently taken into account. This article makes a contribution towards closing this gap both
theoretically and empirically. Given the intriguing and little understood relationship between invisible
code and visible effects, it analyses the visual representations that occupy the space in which the
technical is made political via the material. This way, the article makes the following contributions:
Theoretically, it amalgamates visual security studies with securitization theory and adds a particular
focus on materiality and practices. Empirically, it investigates the representation of cyberthreats in
popular visual culture.
Following in the footsteps of Francois Debrix’ insights about media-induced fears in the case of
cyberterror, this article starts from the premise that any technical computer incident meets an
already familiar discursive formation into which it is necessarily folded (Debrix 2007). It is that
formation that organises cyberthreats ‘into categories, strategies, typologies’, allowing us to speak
about them in a certain, organised and socially accepted manner and provides us with
a framework to situate ‘the truth’ (Debrix 2007, 28). Visual representations are part of this
formation, signifying a ‘temporary embodiment of social processes that continually construct
and deconstruct the world’ (Cresswell and Dixon 2002, 1). Even more, visuals occupy a special
place in this process: First, popular visual culture is the only site where we can experience
technical and political effects together, allowing an exclusive way of approaching the issue barred
to us in real life. Second, popular visual culture influences society’s knowledge about threats more
directly than other forms that are less easily approachable, like expert reports. Studying these
visual representations in a systematic manner thus provides us with extra insights into socially
shared discursive systems of knowledge and truth in the case of cyberthreats.
In the first part of this article, existing cybersecurity literature in critical security studies is
discussed and theoretical insights about the importance of popular visual culture for threat
representations are added. The second part of the paper uses a mix of discourse analysis and
semiology, the default method in visual studies (Rose 2016, 188), to study films and TV series for
representation of cyberthreats for the types of securitization logics that are present. Third, the
article identifies the discursive formation these representations belong to and talks about what this
signifies for the making and unmaking of cybersecurity as a political issue.

Bringing material visuals to the securitization of cybersecurity

The increase of politically relevant cyberincidents has led to a growing literature using strategic
studies concepts to study the ways state actors are using cybertools for their political or military
gains (Liff 2012) and analyses their effects on national and international security (Maness and
Valeriano 2016; Borghard and Lonergan 2017). In comparison, critical security studies literature
on cyberthreats is relatively sparse. A first wave used concepts derived from Securitization Theory
to see how different actors in politics established a link between cyberspace and national security
(Eriksson 2001; Dunn Cavelty 2008; Hansen and Nissenbaum 2009) or focused more specifically
on metaphors in the discourse to explain the choice of political response (Barnard-Wills and
Ashenden 2012; Stevens and Betz 2013; Dunn Cavelty 2013; Lawson 2013).
Cyberincidents are recognised as important in this literature, yet they are treated as discursive
constructions rather than as actual material events. Given the very low number of cyberincidents
considered strategically relevant until around 2010, the focus of the literature is on discursively
powerful, yet hypothetical cyberincident-scenarios of high magnitude. Only recently, a second
wave of critical cybersecurity literature has gone beyond an understanding of discursive forma-
tions anchored mainly in speech acts to give more weight to material and practice-oriented
 CRITICAL STUDIES ON SECURITY 3

aspects of the issue (Stevens 2016; Balzacq and Dunn Cavelty 2016; Collier 2018; Shires 2018).
This literature recognises that the political reading of cyberincidents cannot be divorced from the
material realities of computer disruptions and the knowledge practices in technical communities.
However, since it is strongly rooted in Science Technology Studies, which favours looking at
socio-technical orders on the national level, the literature has difficulties linking its findings to
international political communities that are of importance in security studies and international
relations (cf. McCarthy 2018, 236ff.)
This article attempts to bring critical security studies and particularly securitization theory back
into this more recent focus on material aspects of cyberthreats. It does so by using insights from
visual security studies to show how popular visual culture influences the discursive formation of
cyberthreats (cf. Carver 2010, 426) and how its ways of making the threat visual offer particular
ways of securitizing technical incidents through material and practical aspects.
In the visual security studies literature, it is mainly the link between popular culture and national
security identity that has been studied (for example: Löfflmann 2013; MacLennan 2016). It is under-
stood that popular visual culture co-produces a shared understanding of politics, whereby acceptable
behaviour of state and non-state actors is both legitimated and naturalised by it (Lacy 2003; also
Weber 2001, 133–134; Dodds 2005, 267). However, the projection and legitimisation of foreign policy
strategies is only one aspect popular visual culture can illuminate. Another is the representation of
threats (Valantin 2005, xi). As done in this article, focusing on threat images in popular visual culture
as part of the discursive formation adds an additional dimension to the more common focus on
identity. For security risks, where there is no clearly responsible threat agent or enemy (like pandemics
or climate change) or where the form of the malicious actor is amorphous and shifting (like terrorism),
the details of how the threat itself is constructed becomes more important to understand political
effect. Popular visual culture co-produces imaginaries of threats by providing us with particular
visuals, which shape our propensity to recognise threats as threats in the first place and also our
expectations for how we should deal with them. They steer political actors to implicitly or explicitly
recognise cyberincidents they are actually confronted with as both similar to and different from these
imaginations, but always within the specific boundaries of the discourse formation that popular visual
culture co-shapes. This way, popular visual culture helps to co-produce ‘the limits and boundaries for
what is done and what can be done’ (Andersen, Vuori, and Mutlu 2015, 89) in politics.
To anchor the article in securitization literature, Lene Hansen and Helen Nissenbaum’s three
logics of security in the ‘cyber’-sector are used as an analytical frame: hypersecuritization, which
refers to the use of ‘multi-dimensional cyber disaster scenarios’ to create a sense of urgency;
everyday security practices, which refer to the mobilisation of the individual to perform cyber-
hygiene practices as part of the national security enterprise; and technification, which is about the
special status given to technological expertise in the discourse (Hansen and Nissenbaum 2009).
The interplay between the three logics will be pointed out in the analysis below and the role of
material factors highlighted.

Representations of cyberthreats in popular visual culture

In this section, the article moves from theory to the empirics. The material studied are films and
TV series in which computers are directly implicated in the emergence of a security threat (see
Appendix 1 for a list and details about the selection, its reasons and its limits). The focus of the
analysis lies on the interplay between the technical and the political, whereby ‘politics’ is under-
stood broadly to signify a diverse set of human activity that strives to ‘make, preserve and amend
the general rules under which they live’ (Heywood 2013, 2).
The doyen of visual methodology states that ‘a mix of discourse analysis [. . .] and semiology,
with perhaps a dash of Lacan and Deleuze, seems to constitute the default method’ in visual
studies (Rose 2016, 188). A mix of discourse analysis and semiology was used in this paper too to
identify three dominant, recurring ‘clusters’ of how cyberthreats are made visible politically and to
4 M. DUNN CAVELTY

point out in what ways the securitization logics play out in them. In the first, the main threat is
a machine – either in the form of an immobile mainframe computer or in the form of robots –
that is ‘out-of-control’ and threatens human existence. In the second, the threat emanates from
corrupt organisations that have power because they possess specific data. In the third, computers
are used as weapons. Common in all three representations is the strong dominance of material
aspects of the threat over the immaterial/virtual aspects.

Representation I: the malicious machine

The first type of representation depicts computers in various shapes or forms as a direct threat to
humanity (Tron, 1982; War Games, 1983; The Matrix Trilogy, 1999–2003). Both in Tron and War
Games, machines are given control over weapons of mass destruction before they develop their
own ideas of power/world domination.2 In The Matrix, the entire human race is turned into living
batteries by the victorious machines.
The cyberthreat is thus manifest and embodied in physical entities that are built by humans,
programmed by humans, and put in place by humans primarily for reasons of economic
efficiency. In War Games for example, a super-computer is tasked with launching missiles because
humans are judged to be too emotional and thus unreliable to be trusted with this task. In Tron,
the Master Control Program is in charge of optimising the operations of a large, powerful business
entity. It says about itself that it ‘could run things 900–1200 times better than any human’. In the
Matrix Trilogy (1999–2003), advanced machines are the dominant civilisation after they rebel
against humanity to ensure their own survival.
Indeed, what is at stake in all of these representations is survival of the entire human race and
extreme urgency is ever present: the hypersecuritization logic as identified by Hansen and
Nissenbaum (2009) is obviously at play here. The third logic (technification) is strongly present too:
The power to counter the existential threat is amassed in the hands of a few talented individuals – the
archetypical, lone hacker, who is driven by reluctant heroism. Thoroughly anti-authoritarian, their
moral compass compels them to do ‘the right thing’ and their miraculous skills let them intuitively
understand how to manipulate the machine world to restore a type of political order based on human
values. These orders are not perfect or ultra-efficient, but they have high legitimacy.
Social engineering, the manipulation of people into making them perform specific actions or
divulging confidential information, ‘war dialling’ (using a modem to automatically scan a list of
telephone numbers), and ‘hacking’ into other computers/systems with the help of malware/
computer programs are the techniques used by these saviours.3 However, what matters even
more than manipulating the virtual world are the physical-material aspects of the struggle,
paradoxically even in the virtual world. In War Games, the computer Joshua is a very bulky
physical entity in the Cheyenne Mountain Complex (an actual military bunker in Colorado
Springs). Large parts of the movie play inside that bunker and next to Joshua, who physically
struggles to solve the puzzles given to him and ultimately breaks down, showing frantic lights,
smoke, and explosions. In Tron, the villain mainframe computer digitises the programmer, who
becomes friends with a security program inside the machine world and manages to blow up the
malicious program, portrayed as red, evil demon head. The Matrix may play with the categories
‘real’ and ‘virtual’ more than other movies, but it, too, places the main struggle in the ‘real’
(physical) world and not in the simulation. The machines are defeated only with EMP weapons
(electromagnetic pulse which physically destroy electronic equipment). Neo’s real presence within
the Machine City and ultimately his bodily death is needed to end the war.
In this first cluster of threat-representations, the cyberincident starts with the human decision to
delegate fundamental responsibilities to machines. This decision is inherently political because it
delegates power to the ‘other’: Machines, visually represented as anti-human (large machine complex,
demon head, insects), are shown as fundamentally different from humans because they function
without intuition and emotion, but under the rules of cold computational logic. The second step of the
 CRITICAL STUDIES ON SECURITY 5

cyberincident is a (logical) decision by the machine that results in a life threatening situation for the
entire human race. In sum, the threat is fundamentally ‘material’, crystallised in the computer as
malicious object with its own agency.

Representation II: data, secrets and resistance

The second type of threat representation is concerned with secret, networked powers that rule the
world, the information that these entities control and with resistance to these power structures. This
trope defines The Net (1995), Johnny Mnemonic (1995), Prophecy (2015) and decisively the series
Mr. Robot (2015-) and Pied Piper (2016) and to some lesser degree the two Bond movies with hacking
elements, Golden Eye (1995) and Skyfall (2012). In contrast to the first theme, it is not machines
themselves that are the main threat, but human organisations or individuals and their access to
information/data.
These entities amass information or withhold information from the larger public – information
that is valuable to individuals (The Net) or society as a whole (Johnny Mnemonic, Mr. Robot).
Possessing information equals power, and thus, stealing this information as well as spreading or
deleting it becomes a form of political resistance. Also, the use of electronic means to express
political grievances makes it possible to reach more people, but also open up new avenues for
manipulating public opinion and sentiments.4 The referent object is ‘the truth’ (The Net, Johnny
Mnemonic, Prophecy, Pied Piper, Mr. Robot), or ‘the secret’ that needs special protection and care
(Golden Eye, Skyfall).
An additional aspect of the threat is the awareness of the digital traces users leave in cyber-
space, which make them hyper-visible and by extension, vulnerable to new types of manipulations
and violence. The Net from 1995 is one of the first movies to depict the internet as a distributed
network. The internet emerges as a blessing and as a curse at the same time: It is a place where we
can order pizza from the comfort of our armchairs, but it is also depicted as thoroughly insecure
(In The Net a character says about programs: ‘What if they don’t have any faults’ and the female
protagonist says: ‘Don’t believe I’ve met one yet’).
With the shift away from the embodiment of the threat in a machine towards people who
manipulate data, we find a recurring theme pitting ‘good’ hackers against ‘bad’ hackers, usually in
the service of a state or one of these sinister organisations. The ‘good’ hacker is not corrupted by
power or money, but lives for his/her pure ideals (Golden Eye, The Net, Skyfall). On the flip-side,
hacker-resistance can also emerge as a threat to state entities, especially specialised police units
(Ghost 2012; Bloody Monday 2008). This resistance tends to manifest as social unrest, panic and
even physical violence when it spills over into the real world. At the same time, the resistance
raises crucial questions of what is right and what is wrong in a world where false truths are so
easily fabricated. In Prophecy and Pied Piper, tragic anti-heroes (violently) fight what they consider
injustices in society, standing up for ‘bottom earners’, the bullied and the outcast (Prophecy) or
fighting corrupt conglomerates with ties to politics (Pied Piper). Using social media to gain
attention and to morally educate netizens, they fight for something that is theoretically noble,
but disqualify and doom themselves when they become too physically violent in the pursuit of
their goals.
To cause cyberincidents in the networks of one’s adversaries becomes a tool to attain specific
political goals. And yet, what truly matters takes place in the real world, and not on the level of
bits and bytes. People are physically hunted and almost killed (The Net, Johnny Mnemonic), police
investigators track cybervigilantes with the help of visual clues and virtual traces to specific
geographic locations (Prophecy, Pied Piper). Given the centrality of data in this trope, data storage
devices become visually and narratively important: floppy disks with sensitive information (The
Net), fancy launch disks (Golden Eye), hardware drives containing details of undercover agents
(Skyfall), or and brain implants to carry encrypted data from one place to another (Johnny
Mnemonic).
6 M. DUNN CAVELTY

The cyberincident related to stealing and revealing information is central in uncovering hidden
power relationships. Hypersecuritization is present in the form of deadly disease (Johnny
Mnemonic) or a cyberterrorist (Skyfall, The Net), but in this second type of representation, it is
not the defining logic. The interaction with cyberspace has become a normal day-to-day activity
for many (everyday security practices), though they often do not realise how insecure the
technology is. Certain people have technical superpowers (technification), but since the threat is
no longer physically contained in one machine that can be destroyed but thoroughly networked, it
dodges easy containment. In sum, the threat is located with powerful entities, whose power is
a derivate of their ability to manipulate data. Computers are neutral, passive objects with no
agency – but they are powerful tools that are used to obtain specific political goals.

Representation III: cyber, boom!

The third type of representation is turning cybertools into weapons in the hands of archetypal villains.
Die Hard 4 (2007) and Blackhat (2015) and to some extent Skyfall (2012), but also many TV show
episodes or whole shows (for example: parts of Le Femme Nikita (1997); Season 9 of 24 (2014)) are
based on this theme. The targets of cyberattacks in these products are so-called critical infrastructures
or utilities. This way, spectacular disaster scenarios that threaten the collapse of society are possible:
‘Anything that’s run by computers’ – ‘all down at once’ (quote from Die Hard 4).
The threat stems from malicious individuals, often disgruntled employees (Die Hard, Skyfall, to
some degree Blackhat). Thanks to their special skills coupled with their in-depth knowledge of
proprietary systems, they are particularly dangerous. Their hacks are extremely and immediately
effective – in Die Hard for example, the villain kills his adversaries by blowing up their computers from
a remote location. In Skyfall, the rogue agent turned ‘cyber-terrorist’ blows up the MI6 building by
turning off the safety controls in the gas system. In Blackhat, hackers cause a nuclear meltdown.
The visual focus is on data flows that create instant physical effects. The link between technical
aspects of the threat and its effects is shown by fast typing fingers on keyboards, by emphasis on code
speeding by on screens, also by massive explosions in machinery of factories or cities. Computer
code is translated on screen into appealing pictures showing 3D building plans, gas flowing in
pipelines or how traffic is currently routed (Die Hard). Infection by malware is represented by light
flowing along cables and computer hardware. When it has reached a target, a light goes on – it is
now rigged and ready to go up in flames (Blackhat). In contrast to the second type of representation,
the Internet is not shown as a container of sensitive data that can be collected and manipulated, but
as an extension of vulnerable physical objects of great value.
Government entities are shown to be powerless against the threat in Blackhat, Die Hard, and
Skyfall. They do not have command over people with the necessary skills or if they have them, are
bound by rules that restrict their actions too much. To overcome this, they hire (super-)hackers
who can (and do) bend the rules. In Die Hard 4 and Blackhat, we once again have good hackers
going against bad hackers, this time as a central plot-point. The good hackers not only need to
move around physically (Blackhat has locations in many different countries, including Indonesia
and China), they also need to get their hands dirty to end the threat, including massive explosions
and an arsenal of guns. Given the need for spectacular images in movies, this is no surprise –
however, it also creates a very particular sense of cyberthreats. Given the vulnerabilities of
systems – visually shown by the hacks the perpetrators do with extreme ease – and given the
extreme impacts, cybertools become depicted as violent weapons, in certain contexts even more
effective than guns and explosives.
In this third cluster, cyberspace is depicted as a global space that allows villains unprecedented
global reach. Ultimately, it is a space that allows the easy extension of ongoing power struggles or
pursuit of personal grudges. In sum, the threat is now the ability to produce these data weapons and
launch them against a target. All three securitization logics are present and mutually reinforce each
other. Hypersecuritization is the most easily apparent, lending itself to the easiest visualisation.
 CRITICAL STUDIES ON SECURITY 7

Cyberincidents threaten society due to its dependence on computers, making the ensuing scenarios
catastrophic and very violent. Due to their scope, these situations create extreme urgency. The
cyber-incident is used as a weapon, is very targeted and wielded with great efficiency.
The second, everyday security practices – or the lack of good cybe hygiene in targets – is the
underlying cause for this. Technological vulnerability makes a double-appearance. On the one hand,
unpatched vulnerabilities are exploited by malicious actors for malevolent deeds. On the other, it
leads to a fundamental distrust of digital technologies all around: The hackers in Die Hard 4 all have
redundant systems for communication in case the information infrastructure breaks down. The
(good) hacker in Blackhat tells his FBI handler that digitally stolen money needs to be ‘made real’:
the trick is to get the money out in cash from different ATM machines and walk away. Given this
somewhat amorphous picture of the technical, technification is manifest in a different form than
before. Hackers are still the actors with the most power, but their dominance is questioned. Both
McClane, the main protagonist in the Die Hard movies, as well as Bond in Golden Eye and Skyfall
represent the ‘old’ world, where things are done the traditional way and not with the help of
computers. McClane shouts at his hacker-helper: ‘It’s not a system. It’s a country – you are talking
about people’! The new world almost manages to throw Bond and all he stands for (‘We’re a bunch
of antiquated bloody idiots, fighting a war we don’t understand and can’t possibly win’) into a deep
identity crisis in Skyfall – but what counts in the end is the gritty reality of the old battlefield, where
true heroes fight face to face and familiar meaning can be restored.

From the technical to the political via the material: visualising securitization logics
As was shown in the previous section, popular visual culture shows a broad and multifaceted
relationship between the technical and the political. Of the three security logics identified by Hansen
and Nissenbaum, hypersecuritization appears as the most dominant. This is not surprising since it is
also the one that lends itself best to exciting visuals through an explicit destructive materiality.
However, the material aspects of computer insecurity are a strong feature in all threat representa-
tions, to the point where they define cyberthreats. Beyond linking code-producing, fast typing
fingers to the instant doom of exploding critical infrastructures, there is an even more fundamental,
lurking threat ever present: a threat rooted in the very existence of computing machines. If they are
not given to opportunity to turn into the big bad themselves, they are naturally (mis)used as tools to
do harm that would not be possible without them. It is always the real world in which security and
insecurity unfolds, with material objects defining the space of engagement, being both the threat and
what is threatened. Virtual space is an identifiable place with geographical dimensions and its rules
are either similar to the real world or at least easily manipulated by those with special skills.
Ultimately, this leads to cyberthreats emerging as familiar physical violence.
Such familiarity is accompanied by the normalisation of the threat over time. Computers and
their abilities are portrayed as exceptional or spectacular in the early years, but as we move
through time, the ‘cybered’ aspects of society become an everyday feature of life. With the
delegation of not only a few, but an increasing amount of tasks to machines, cyberthreats become
a systemic, even anticipated condition. With this normalisation comes advanced familiarity with
the threat in society, reflected in an ever closer relationship between fiction and reality. For
example, the plot in Die Hard is based on a threat scenario from an article published in the
WIRED Magazine called ‘Farewell to arms’ (Carlin 1997). In that same year, the Presidential
Commission on Critical Infrastructure Protection published their seminal report, in which the
link between critical infrastructures and cyberspace was established in the political realm (PCCIP
1997). The insider threat is also the one highlighted in this influential report, which makes
a repeated appearance in popular visual culture. Speaking to a similar trend, the attention given
to ‘hackuracy’ has increased over the years. Matrix Reloaded (2003) is the first major motion
picture to attempt to portray an actual hack: The female hacker Trinity does an ‘Nmap port scan’,
a common real-world prelude to an intrusion attempt. In Blackhat (2015), all the code that is
8 M. DUNN CAVELTY

visible on screen is real code. In Mr. Robot (2015-), each episode title relates to a specific technical
action taken in the main plot.
There are two sides to this normalisation. On the one hand, a threat that we live with loses part
of its terror, which helps against tendencies to simplify the threat. Indeed, with the increase of
actual incidents as ‘reality check’, hypersecuritization has lost some of its mobilising power –
extreme scenarios are not as easily presented as fiction that may become reality one day, but
appear as fiction far from reality when they simply do not measure up. On the other hand, if we
take a threat for granted, we stop questioning and resisting its logics. That becomes even more
obvious when we focus on the second logic of security identified by Hansen and Nissenbaum
(everday security practices). This aspect is present, yet never foregrounded, neither visually nor
narratively. Indeed, such is the nature of this type of logic: It is there but not easily noticed, yet
shaping social interactions and political expectations constantly. In popular visual culture, indi-
viduals are always the ones portrayed as responsible for and capable of countering the threat – the
state is either absent or unable to help.
The strong message is that the state and its institutions are quasi-powerless vis-à-vis this threat,
shaping a political image of necessary self-help. This responsibilization of individuals mirrors the
solutions propagated in a majority of national cybersecurity strategies and is based on a liberal
market logic. In short: You must protect what you own. With relatively little variation across
polities, the protection policies in place consist of a three-pronged approach: A law enforcement
pillar for countering cybercrime, private-public partnerships for critical infrastructure protection,
and private and public self-help for the rest of the networked infrastructure. Importantly, it has
been made a common practice that everybody is responsible for ‘their own’ assets as far as
possible: governments protect government networks, militaries only military ones, companies
protect theirs, and individual citizens are in charge of their own computer security (Dunn Cavelty
2018).
However, real world incidents that are presented as security political and urgent in nature have
put this hands-off approach by states under increasing pressure. Finding themselves caught
between the obligation and even desire to take on a more forceful role as ‘protector’ in this
space and their repeated inability to do so, states grapple with the difficulty of defining their role
in cybersecurity (cf. Dunn Cavelty and Egloff 2019). This becomes even clearer in the third logic.
Technification is almost as important as the focus on survival and disaster and triggers similar
images of the political. To have power means to have the ability to manipulate the machine world
through special practices.
Whereas the depiction of the ‘good’ hacker is relatively constant throughout the years, the ‘bad’
hacker emerges as the epitome of threat especially sometime in the 1990s (for a similar argument
see Nissenbaum 2004). Often, they possesses special insider knowledge, which guarantees their
ability to do maximum harm. With this focus on special skills comes another pervasive proble-
matization of the state and its security bureaucracies: They are either portrayed as a direct threat
due to rampant corruption and power abuse or as an indirect threat due to their blatant
incompetence in handling cyber-emergencies. It is by virtue of being outside the state apparatus,
both in terms of rules but also in terms of values, that (anti-)heroes can emerge as victorious and
ultimately as saviours. Beyond this, the state in itself becomes problematic by virtue of its ascribed
security role and organisational structure. Since the keeping of secrets is one of the prerogatives of
states and those who have the skills to save the world are always acting from the belief that
keeping secrets is a misuse of power, digital resistance emerges as a viable and morally just
counterstrategy aimed at the state itself.
Little remains of the traditional authority of the state if only technological geniuses who toe
illegality can battle the threat. Delegation of security provision to state authorities is no longer possible,
it is society who has to ensure that the skills needed to navigate the new world can emerge from its
midst. At the most, the state can temporarily entice these individuals to lend their services to the
 CRITICAL STUDIES ON SECURITY 9

greater good. This way, state authorities become mere managers of talent that is not theirs to
command; they have lost their ability to be providers of security entirely.

Conclusion
Driven by an interest to understand how visual representations of cyberthreats make sense of technical
effects politically, this article focused on cyberthreats in popular visual culture since the early 1980s.
Three dominant representations of cyberthreats were discussed and some of the commonalities
between them identified, with a particular focus on securitization logics aided by material aspects.
Change in representations over the years reflects a change in the discourse formation which is strongly
influenced by the reading of ‘real world’ incidents as security politically relevant.
Clearly, Hansen and Nissenbaum’s statement that ‘the digital networked character of cyber
security – and the absence of prior disasters – is hard to represent through images’ (2009, 1165)
needs to be revised. Popular visual culture has filled the political space with images for decades,
inspired by and at the same time inspiring politics. When in reality, sophisticated malware often
seeks to hide its performance as long as possible to be able to deliver maximum effect, there is no
such invisibility in popular visual culture: The representations of cyberthreats are always linked to
instantaneous effects that cannot evade the human sensorium.
These representations provide a somewhat soothing doubt-free representation of cyberthreats.
The materiality of the threat anchors it in the real world and defines its parameters throughout all
three representations. Since cyberthreats are produced by or with machines, they always co-define
the limits and possibilities of action. However, if they were just (isolated) objects of danger,
removing them would solve the security threat. But they also are a much desired physical
extensions of a post-human society, where digital bodies are just as relevant as physical ones
and where other objects of values and computing machines form intricate networks of power and
wealth. Cyberthreats emerge as far broader and more closely interwoven with human life than just
as disrupting, temporary incidents. Popular visual culture presents us with a technological world
that is pervasively insecure, and in which the threat is multifaceted, all-embracing, and systemic
because of the existence of computing machines. However, the distinct materiality of the threat is
also what opens up possibilities for its management. Indeed, the visibility of the threat or rather,
the active ‘making visible’ of causes and effects, is emerging as a powerful counterstrategy. In all
representations, visibility is essential for the attribution of agency, of political acts and, ultimately,
decision and responsibility.
In 2009, Hansen and Nissenbaum held that ‘the most significant lesson of bringing the
Copenhagen School to cyber security may be to bring the political and normative implications
of “speaking security” to the foreground’ (2009, 1172). What political and normative implications
emerge from making cybersecurity visible in the ways shown in this article? If the prime message
is that cyberthreats cannot be handled by the state or worse, that they unmask the state itself as the
root of the problem, we are faced with questions about desired political alternatives. Machines
destabilise old authority structures and enable new ones, but what should a different, legitimate
forms of politics look like in a space where only a handful of technical geniuses have the power to
shape rules and take on the role of ‘the protector’ if they wish so?
For democratic politics, technification is a big challenge. By making cybersecurity an issue of
the genius few, technification makes contestation from those with less technical expertise hard if
not impossible or makes it easy for those with the expertise to discredit others that do not have
it. In addition, the power of technical expertise comes with a claim of being ‘neutral’ or
‘a-political’, and hence, as more valid than anything that is based on ethics or morals. For the
study of cybersecurity in critical security studies, it will be important to further analyse the
interrelationship between all three security logics, but with a particular focus on technification
and its effects.
10 M. DUNN CAVELTY

Notes
1. Prominent examples are: Stuxnet, the computer worm that sabotaged the Iranian nuclear program (Farwell
and Rohozinski 2011), the hacking of Sony networks and the subsequent blackmailing to prevent the
distribution of a movie making fun of North Korea’s leader (Siboni and Siman-Tov 2014), the hacking of
a power grid during Russia’s military campaign against the Ukraine (Zetter 2016), or the meddling with US
elections with the help of confidential information obtained through computer infiltrations (Shane and
Mazzetti 2018).
2. This topic is well-loved by Hollywood in general but also plays a considerable role in many Japanese animes.
As early as 1927, Fritz Lang’s Metropolis depicted a robot which unleashes chaos and is ultimately burnt at
the stake as a witch, leading to a long list of mobile computers and their relationship with humanity.
HAL9000 (Heuristically programmed ALgorithmic computer) and his iconic red glare in 2001: A Space
Odyssey (1968) kills the crew of the spaceship he controls and monitors when conflicts in HAL’s program-
ming cause severe paranoia. Skynet from the Terminator Movie (1984) becomes self-aware and decides that
humans are a menace that needs to be eliminated.
3. The movie War Games gave the hacker technique ‘war dialling’ its name. Previously to War Games, it was
called ‘hammer dialling’ or ‘demon dialling’.
4. As an interesting side note with regards to the interlinkage between popular visual culture and hacker
resistance: The Guy Fawkes mask depicted in ‘V for Vendetta’ (2005) was adopted by the hacktivist
movement Anonymous and has become a cultural icon for hacker resistance.

Disclosure statement
No potential conflict of interest was reported by the author.

Notes on contributor
Dr. Myriam Dunn Cavelty is a senior lecturer for security studies and deputy head of the Centre for Security
Studies (CSS), ETH Zurich. In addition to her teaching, research and publishing activities, she advises governments,
international institutions and companies in the areas of cyber security, cyber warfare, critical infrastructure
protection, risk analysis and strategic foresight.

ORCID
Myriam Dunn Cavelty http://orcid.org/0000-0002-3775-1284

References
Andersen, R. S., J. Vuori, and C. E. Mutlu. 2015. “Visuality.” In Critical Security Methods: New Frameworks for
Analysis, edited by C. Aradau, J. Huysmans, A. Neal, and N. Voelkner, 85–117. London: Routledge.
Aradau, C. 2010. “Security that Matters: Critical Infrastructure and Objects of Protection.” Security Dialogue 41 (5):
491–514. doi:10.1177/0967010610382687.
Balzacq, T., and M. Dunn Cavelty. 2016. “A Theory of Actor-network for Cyber-security.” European Journal of
International Security 1 (2): 176–198. doi:10.1017/eis.2016.8.
Barnard-Wills, D., and D. Ashenden. 2012. “Securing Virtual Space: Cyber War, Cyber Terror, and Risk.” Space
and Culture 15 (2): 110–123. doi:10.1177/1206331211430016.
Borghard, E. D., and S. W. Lonergan. 2017. “The Logic of Coercion in Cyberspace.” Security Studies 26 (3):
452–481. doi:10.1080/09636412.2017.1306396.
Burgess, P. 2007. “Social and Material Threat: The European Programme for Critical Infrastructure Protection.”
International Journal of Critical Infrastructures 3 (3–4): 471–487. doi:10.1504/IJCIS.2007.014121.
Carlin, J. 1997. “A Farewell to Arms.” Wired Magazin, January 5. https://www.wired.com/1997/05/netizen-2/
Carver, T. 2010. “Cinematic Ontologies and Viewer Epistemologies: Knowing International Politics as Moving
Images.” Global Society 24 (3): 421–431. doi:10.1080/13600826.2010.485556.
Collier, J. 2018. “Cyber Security Assemblages: A Framework for Understanding the Dynamic and Contested Nature
of Security Provision.” Politics and Governance 6 (2): 13–21. doi:10.17645/pag.v6i2.1324.
Cresswell, T., and D. Dixon. 2002. “Introduction: Engaging Film.” In Engaging Film: Geographies of Mobility and
Identity, edited by T. Cresswell and D. Dixon, 1–10. London: Rowman and Littlefield.
Debrix, F. 2007. Tabloid Terror, War, Culture, and Geopolitics. London: Routledge.
 CRITICAL STUDIES ON SECURITY 11

Dodds, K. 2005. “Screening Geopolitics: James Bond and the Early Cold War Films 1962–1967.” Geopolitics 10 (3):
266–289. doi:10.1080/14650040590946584.
Dunn Cavelty, M. 2008. Cybersecurity and Threat Politics: US Efforts to Secure the Information Age. London:
Routledge.
Dunn Cavelty, M. 2013. “From Cyber-Bombs to Political Fallout: Threat Representations with an Impact in the
Cybersecurity Discourse.” International Studies Review 15 (1): 105–122. doi:10.1111/misr.12023.
Dunn Cavelty, M. 2018. “Aligning Security Needs for Order in Cyberspace.” In Future International Order, edited
by H. Maull, 104–119. Oxford: Oxford University Press.
Dunn Cavelty, M., and F. Egloff. 2019. “The Politics of Cybersecurity: Balancing Different Roles of the States.” St
Antony’s International Review 15 (1): 37–57.
Eriksson, J. 2001. “Cyberplagues, IT, and Security: Threat Politics in the Information Age.” Journal of Contingencies
and Crisis Management 9 (4): 200–210. doi:10.1111/jccm.2001.9.issue-4.
Farwell, J., and R. Rohozinski. 2011. “Stuxnet and the Future of Cyber-War.” Survival, Global Politics and Strategy
53 (1): 23–40.
Hansen, L. 2011. “Theorizing the Image for Security Studies: Visual Securitization and the Muhammad Cartoon
Crisis.” European Journal of International Relations 17 (1): 51–74. doi:10.1177/1354066110388593.
Hansen, L., and H. Nissenbaum. 2009. “Digital Disaster, Cyber Security, and the Copenhagen School.” International
Studies Quarterly 53 (4): 1155–1175. doi:10.1111/isqu.2009.53.issue-4.
Heywood, A. 2013. Politics. Basingstokes: Palgrave.
Huysmans, J. 2011. “What’s in an Act? on Security Speech Acts and Little Security Nothings.” Security Dialogue 42
(4–5): 371–383. doi:10.1177/0967010611418713.
Lacy, M. J. 2003. “War, Cinema and Moral Anxiety.” Alternatives 28 (5): 611–636. doi:10.1177/
030437540302800504.
Lawson, S. 2013. “Beyond Cyber-Doom: Assessing the Limits of Hypothetical Scenarios in the Framing of
Cyberthreats.” Journal of Information Technology & Politics 10 (1): 86–103. doi:10.1080/19331681.2012.759059.
Liff, A. P. 2012. “Cyberwar: A New ‘absolute Weapon’? the Proliferation of Cyberwarfare Capabilities and Interstate
War.” Journal of Strategic Studies 35 (3): 401–428. doi:10.1080/01402390.2012.663252.
Löfflmann, G. 2013. “Hollywood, the Pentagon, and the Cinematic Production of National Security.” Critical
Studies on Security 1 (3): 280–294. doi:10.1080/21624887.2013.820015.
MacLennan, J. A. 2016. “Objects in the Cultural Imaginary of Geopolitics: From Patriot Games to Jack Ryan:
Shadow Recruit.” Critical Studies on Security 4 (3): 241–254. doi:10.1080/21624887.2015.1128255.
Maness, R. C., and B. Valeriano. 2016. “The Impact of Cyber Conflict on International Interactions.” Armed Forces
& Society 42 (2): 301–323. doi:10.1177/0095327X15572997.
McCarthy, D. 2018. “Conclusion: Technology and International Relations Theory: The End of the Beginning.” In
Technology and World Politics: An Introduction, edited by D. McCarthy, 224–242. Abingdon: Routledge.
Nissenbaum, H. 2004. “Hackers and the Contested Ontology of Cyberspace.” New Media & Society 6 (2): 195–217.
doi:10.1177/1461444804041445.
Parikka, J. 2010. “Ethologies of Software Art: What Can a Digital Body of Code Do?” In Deleuze and Contemporary
Art, edited by S. Zepke, 116–132. Edinburgh: Edinburgh University Press.
PCCIP (President’s Commission on Critical Infrastructure Protection). 1997. Critical Foundations: Protecting
America’s Infrastructures. Washington: US Government Printing Office.
Rose, G. 2016. Visual Methodologies: An Introduction to Researching with Visual Materials. London: Sage.
Shane, S., and M. Mazzetti. 2018. “Inside a 3-year Russian Campaign to Influence U.S. Voters.” The New York
Times, February 16. https://www.nytimes.com/2018/02/16/us/politics/russia-mueller-election.html
Shires, J. 2018. “Enacting Expertise: Ritual and Risk.” Cybersecurity, Politics and Governance 6 (2): 31–40.
doi:10.17645/pag.v6i2.1329.
Siboni, G., and D. Siman-Tov. 2014. “Cyberspace Extortion: North Korea versus the United States.” INSS Insight
No. 646, December 23
Stevens, T. 2016. Cyber Security and the Politics of Time. Cambridge: Cambridge University Press.
Stevens, T., and D. J. Betz. 2013. “Analogical Reasoning and Cyber Security.” Security Dialogue 44 (2): 147–164.
doi:10.1177/0967010613478323.
Valantin, J. M. 2005. Hollywood, the Pentagon and Washington. London: Anthem Press.
Weber, C. 2001. International Relations Theory: A Critical Introduction. London: Routledge.
Zetter, K. 2016. “Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid.” Wired, March 3. https://
www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/
12 M. DUNN CAVELTY

Appendix 1. Material viewed (and omitted)

Name Year Type Genre Plot summary (from IMDB) Country

1. Tron 1982 Movie Action, Adventure, A computer hacker is abducted into the USA
1h Sci-Fi digital world and forced to participate in
36 min gladiatorial games where his only chance
of escape is with the help of a heroic
security program
2. War Games 1983 Movie Sci-Fi, Thriller A young man finds a back door into USA
1h a military central computer in which
54 min reality is confused with game-playing,
possibly starting World War III
3. Johnny 1995 Movie Action, Crime, Sci- A data courier, literally carrying a data USA
Mnemonic 1h Fi package inside his head, must deliver it
36 min before he dies from the burden or is killed
by the Yakuza
4. Golden Eye 1995 Movie, Action, Adventure, James Bond teams up with the lone survivor UK/USA
2h Thriller of a destroyed Russian research centre to
10 min stop the hijacking of a nuclear space
weapon by a fellow agent formerly
believed to be dead
5. The Net 1995 Movie Action, Crime, A computer programmer stumbles upon USA
1h Drama a conspiracy, putting her life and the lives
54 min of those around her in great danger
6. Le Femme 1997–2001 TV Series Action, Drama, Section One, a clandestine anti-terrorist Canada
Nikita (S01E03; Romance organisation, fakes the death of a jailed,
S03E16) convicted murderer and, believing her
2 Episodes twin assets of beauty and ability to kill will
make her a valuable new operative, trains
her in the fighting skills necessary to
succeed in her new job. The new
operative, code-named ‘Josephine’, proves
to be somewhat less ruthless than
planned, however, as she had been falsely
convicted and never murdered anyone
7. The Matrix 1999 Movie Action, Sci-Fi A computer hacker learns from mysterious USA
2h rebels about the true nature of his reality
16 min and his role in the war against its
controllers
8. The Matrix 2003 Movie Action, Sci-Fi Neo and the rebel leaders estimate that they USA/
Reloaded 2h have 72 hours until 250,000 probes Australia
18 min discover Zion and destroy it and its
inhabitants. During this, Neo must decide
how he can save Trinity from a dark fate
in his dreams
9. The Matrix 2003 Movie Action, Sci-Fi The human city of Zion defends itself against Australia/
Revolutions 2h the massive invasion of the machines as USA
9 min Neo fights to end the war at another front
while also opposing the rogue Agent
Smith
10. Live or Die 2007 Movie Action, Adventure, John McClane and a young hacker join forces USA/UK
Hard 2h Thriller to take down master cyber-terrorist
8 min Thomas Gabriel in Washington D.C
(Continued)
 CRITICAL STUDIES ON SECURITY 13

(Continued).
Name Year Type Genre Plot summary (from IMDB) Country
11. Bloody 2008 TV Series Action, suspense A brilliant high school hacker, Fujimaru Japan
Monday, Takagi (Haruma Miura), gets drafted by
Season 1 the Japanese equivalent of the FBI (Third-
ブラッディ・ I), to help them stop a group of terrorists
マンデイ intending to attack Tokyo with
11 episodes a biological weapon. When his friends and
family members come under attack,
Fujimaru realises the seriousness of the
situation he has been asked to participate
in. A race against time begins as he helps
the Third-I track down those responsible
for the impending attack while the true
purpose of the terrorist’s plan comes to
light
12.Skyfall 2012 Movie Action, Adventure, Bond’s loyalty to M is tested when her past UK/USA
Thriller comes back to haunt her. Whilst MI6
comes under attack, 007 must track down
and destroy the threat, no matter how
personal the cost
13. Ghost/ 2012 TV Series Crime, action, A drama based on a cyber-investigation South
Phantom investigation squad. Kim Woo-Hyun is the only son of Korea
유령 a high ranking police officer. Woo-Hyun
20 episodes entered the police academy ranked first
and graduated from the academy ranked
first. As a detective, he then joins the
cyber investigation department. Woo-
Hyun then works to reveal the secrets of
those that hide within the cyber world
(http://wiki.d-addicts.com/)
14. 24: Live 2014 TV Series Action, Crime, Jack Bauer, Director of Field Ops for the USA
Another Day Drama Counter-Terrorist Unit of Los Angeles,
(Season 9) races against the clock to subvert terrorist
12 episodes plots and save his nation from ultimate
disaster
15. Prophecy 2015 Movie Mystery A man named Gates heads a mysterious Japan
予告犯 1h group called ‘Shinbunshi’ who don
59 min newspaper masks and post internet
videos informing the public of their crimes
of justice against people they deem guilty
of things not punishable by law.
Meanwhile, Erika Yoshino, an elite
inspector from the Tokyo Metropolitan
Police Department’s cyber-crime division
attempts to track down the members of
Shinbunshi and put a stop to their crimes.
However, the group gradually begins to
win over the support of the public with
their videos
16. Blackhat 2015 Movie Action, Crime, A furloughed convict and his American and USA
Drama Chinese partners hunt a high-level
cybercrime network from Chicago to Los
Angeles to Hong Kong to Jakarta
17. Mr. Robot, 2015- TV Series Crime, Drama, Follows a young computer programmer who USA
Season 1 ongoing Thriller suffers from social anxiety disorder and
10 episodes forms connections through hacking. He’s
recruited by a mysterious anarchist, who
calls himself Mr. Robot
(Continued)
14 M. DUNN CAVELTY

(Continued).
Name Year Type Genre Plot summary (from IMDB) Country
18. Pied Piper 2016 TV Series Action, thriller Pied Piper focuses on a police negotiation South
피리부는 사 task force that specialises in tense, worst- Korea
나이 case scenarios that require highly trained
16 episodes communication.
Obvious movies missing from this list are Sneakers (1992), Hackers (1995), Ghost in the Shell (1995), and Swordfish (2001). They
do not make an explicit appearance in the paper because their representations fit into the three categories outlined in the
article without any challenge. Black Mirror (2011-) is not included because it goes beyond the scope of what I analysed (films
and TV series in which computers are directly implicated in the emergence of a security threat).
Also, there is a question of cultural coherence and boundedness of ‘popular visual culture’. Is there such a thing as
‘global’ popular culture? Probably not, but the argument can be made that Hollywood productions have the biggest
reach and therefore have the biggest shaping power. That additional cultural products from Asia confirm the three
patterns seems to matter more here than the differences.