The Norwegian bulk interception controversy

Following a number of other Western European and North American countries, Norway has recently implemented a so-called bulk interception regime, which allows its foreign intelligence service to harvest in bulk all data that crosses state borders in fibre optic cables.Footnote ¹⁷ The suggestion for a new Intelligence Act which included a bulk interception provision sparked a heated debate. Proponents of bulk interception insisted that the foreign intelligence service needed better – and more specifically digital – tools to prevent and counter the security threats of the day. Opponents, on the other hand, were sceptical about bulk interception given its privacy-invasive and potentially human-rights-violating nature. After the first round of parliamentary proceedings in 2018 and 2020, the Intelligence Act was passed, but the bulk interception provision was postponed in order to wait for clarification about the legality of such a regime from the European Court of Human Rights. Reacting to these clarifications, an altered bulk interception provision which strengthened control mechanisms to ensure the law was within Norway’s human rights commitments, was presented to parliament in 2023, after which the bulk interception provision was eventually passed.Footnote ¹⁸

In the second parliamentary debate, which addressed whether to include bulk interception in the already-passed Intelligence Act, representative Liv Signe Navarsete from the Centre Party (SP) offered a first example of how ‘the digital’ figured in the securitisation process when she stated the following:

Of particular note here is Navarsete’s discursive linking of the dangers associated with digital threats to the invisibility of digital communication. By contrasting digital threats with physical objects on the military battlefield such as tanks and planes, and, more importantly, by describing digital threats as ‘that which we do not see’, Navarsete placed great emphasis on the material quality of the digital when securitising digital communication. For Navarsete, digital communication was dangerous and in need of a strong policy response precisely because it is an activity which operates in registers that evade our senses. Due to this immaterial materiality, she even argued that digital communication is the threat which is ‘most difficult to combat’. By this account, the invisibility of the digital was a reason not merely to securitise, but also to implement extra invasive surveillance and, more specifically, to give the intelligence services extra-wide authority in terms of access to commercial data.

Playing into Navarsete’s representation of digital threats as invisible and strengthening the overall impression of digital threats as materially imperceptible, many also represented ‘the digital’ as ubiquitous. First of all, Navarsete herself linked the invisibility representation with the notion of the ubiquity of ‘the digital’ by stressing that ‘that which we do not see’ ‘absolutely happens everywhere in society’. By this account, the ubiquity of digital threats in a sense contributes to their invisibility: the digital is impossible to see because it is all around us. Making a similar discursive move, FFI, a military research institute invited to the open hearing, said in their consultation response that

In this way, FFI substantiated Navarsete’s linking of invisibility with ubiquity through the notion of omnipresence and, more specifically, added texture to this construction by representing the digital as ‘pervasive’, ‘border-crossing’, and ‘very large’. By stating these digital attributes as reasons to update the Intelligence Act (implicitly involving the bulk interception provision), moreover, FFI also mobilised the immaterial quality of digital threats in their efforts to securitise digital communications. By FFI’s account, it was necessary to put in place stronger security and surveillance policies due to the material quality of the digital, and, more specifically, since the digital is difficult to grasp and control given its immaterial ubiquity.

While linking invisibility to ubiquity, moreover, FFI also linked invisibility to complexity, which may be seen as yet another immaterial quality of the digital which makes digital communications seem threatening and demanding strong policy response. Similarly, representative Bengt Fasteraune (SP) stated in the second parliamentary debate that

For FFI and Fasteraune, then, not only size but also complexity describes the nature of the internet and processes of digitalisation, since complexity, like ubiquity and invisibility, makes the digital virtually ungraspable. As such, complexity adds further nuance to the material imperceptibility of the digital, and importantly, gives yet another reason to securitise digital communications. Note also how Fasteraune places the hostile activities of real and tangible threat actors in complex, digital spaces, thus making activities which are possible to ground in a physical reality seem mysterious and enigmatic and hence difficult to detect, respond to, and even fully understand.

Finally, the notion of speed also seems to have played into and reinforced the impression of digital threats as imperceptible and thus demanding securitisation. The following quotes illustrate this. The first is given by NUPI, a foreign affairs research institute, in the open hearing, and the second by Christian Tybring Gjedde from the Progress Party (FRP) in the first parliamentary debate.

Here, NUPI and Tybring-Gjedde both argue that the speed with which digital technologies are developing is a reason to give the intelligence services surveillance tools that enable the harvesting, storage, and potential monitoring of digital communications. Speed, for them, seems to accentuate the dangers already associated with digital threats, since digital threats may be even more dangerous in the near future due to rapid technological progress. The tempo of development is thus represented as a material quality inherent in digital technologies, which makes security threats that manifest in digital activities require policy response.

The statements cited here, whether they refer to the invisibility, ubiquity, complexity, or speed of ‘the digital’, represents ‘the digital’ as a unitary yet vaguely defined force which in and of itself seems to constitute a threat and thus require securitisation. FFI’s statement that an update of the Intelligence Act (which included the bulk interception provision) was ‘necessary because the rapid technological development has created and will continue to create new and significant vulnerabilities and risks for state security’ is emblematic of this. It shows with clarity that the nature of concrete threats, risks, and vulnerabilities is a secondary concern, and that it is the digital revolution in itself that must be secured against. Similarly, Tybring-Gjedde indirectly discusses threats when he contends that as a result of speedy digitalisation, it is ‘natural that thugs and foreign operators become more digitalised and work better’. Here too, the nature of the threats in question remains vague, and it is ‘the digital’ that is highlighted as that which needs securitisation.

In the following, I explore how ‘the digital’ may be seen to act in and upon the securitisation of digital communication by consulting and engaging a number of different theoretical approaches to the material production of cybersecurity. The material presented above by no means constitutes a full account of the securitisation of communication and legitimisation of mass surveillance through bulk interception in Norwegian policy discourse. Nonetheless, the material shows that notions of ‘the digital’ figured quite prominently in the discourse and that its immaterial qualities played a part in enabling the legitimation of bulk interception. Off the back of this observation, it is necessary to ask, as I do in this article and as will be explored in the sections below, how we can best account for the ways in which ‘the digital’ acts in and upon securitisation processes through its immaterial qualities.

Matter as condition: Constructivist approaches to digital immateriality

Constructivist securitisation theory has been interested in the securitisation of cyber for a long time. While it has speech acts and the discursive, intersubjective construction of cyber threats as its main object of study, constructivist cyber securitisation scholarship also pays moderate attention to the materiality of cyber threats and, indeed, to their immaterial qualities.

In her seminal book on the securitisation of cyber threats, Cyber-Security and Threat Politics, Myriam Dunn Cavelty examines the myriad ways in which cyber threats have been perceived and constructed by US policymakers.Footnote ²⁴ In conceptualising how cyber threats operate, Dunn Cavelty develops a matrix of means and targets of cyber attacks. Here, she separates between means and targets that exist in the physical domain, such as cables, servers, backhoes, and hammers, and those which exist in the cyber domain, such as networks and hacking. According to Dunn Cavelty, means and targets in the cyber domain are ‘immaterial’ as opposed to the material means and tools in the physical domain in the sense that they are ‘very elusive’.Footnote ²⁵ These elusive immaterials of the cyber domain, she further explains, make up ‘the information and the content that flows through the infrastructure’.Footnote ²⁶

Moreover, Dunn Cavelty also contends that ‘there are some hard facts grounded in real-life experiences when it comes to the information infrastructure and what we can do with it’.Footnote ²⁷ More specifically, she points to the speed, complexity, and reach of cyber threats and shows how these qualities – all of which are expressions of digital immateriality – play an important part in deciding how threats are constructed.Footnote ²⁸ Dunn Cavelty, for instance, argues that the speed of future technological development of digital tools and infrastructures makes it almost impossible to completely dismiss cyber threats even in the absence of concrete previous incidents or likely future scenarios. She also suggests that the complexity of digital information systems, networks, and infrastructures, and the difficulty of fully understanding how ‘the digital’ hangs together and operates, enable the construction of cyber threats as a permanent uncertainty which requires continuous securitisation.Footnote ²⁹ Complexity, Dunn Cavelty further demonstrates, is exacerbated by the global scope of ‘the digital’ and global reach of cyber threats.Footnote ³⁰

Related arguments have been made in critical security studies and surveillance studies literatures that emerged as a response to the Snowden revelations. Notably, Bauman et al. emphasise the ‘complex and rhizomatic character of interconnected networks of surveillance tools’ and highlight how this complexity demands a rethinking of the security politics involved in contemporary mass surveillance.Footnote ³¹ Hence, they call to our attention how immaterial material qualities not only of ‘the digital’ as such, but also of contemporary digital surveillance systems in particular (rhizomatic complexity), determine how we can and should make sense of digital surveillance today (in terms of new lines of flight and structures of authority). Similarly, David Lyon suggested that the Snowden leaks demonstrated the liquidity of contemporary surveillance, i.e. ubiquitous gathering and exploitation of uncontained and uncontrolled flows of data.Footnote ³²

Tim Stevens, moreover, conducts a narrative analysis of the temporal logics after which security politics operates.Footnote ³³ While also located firmly in constructivist security studies, as he examines intersubjective, discursive construction of cybersecurity in epistemic communities, Stevens’s approach explicitly makes room for taking into account the material aspects of cybersecurity as well. Laying out his approach to the securitisation of cyber, Stevens explains that ‘cyber security is not only a set of rules or policies but is also instantiated through hardware: the material infrastructures of the global information grid’.Footnote ³⁴ In this way, he suggests – much like Dunn CaveltyFootnote ³⁵ – that the physical attributes of ‘the digital’ make up the conditions for how cybersecurity can be envisaged and represented. Moreover, Stevens also holds that cybersecurity constitutes an assemblage in the sense that it is made up of a wide variety of human and non-human components, which relate and interact in unpredictable and heterogeneous ways. He focuses his analysis on how this assemblage is imagined by human actors but acknowledges the agency of non-humans as well. For Stevens, human actors are the immaterial component of the cybersecurity assemblage, while the physical objects of cybersecurity make up its material component.Footnote ³⁶

Furthermore, Lene Hansen and Helen Nissenbaum have notably argued that cyber threats lend themselves to hypersecuritisation, in the sense that they target networks of digital and physical infrastructures and thus may ‘cause society, financial, and military break-down’.Footnote ³⁷ More so than Dunn CaveltyFootnote ³⁸ and Stevens,Footnote ³⁹ Hansen and Nissenabaum take an explicitly critical constructivist approach. They even distance themselves from materialist understandings of cybersecurity, explaining that they view security as ‘a discursive and political practice rather than a material condition or verifiable fact’ and state that they are not ‘convinced … that the material conditions of the communications environment will determine the winning discourse as this constitutes material structures as outside and above political decisions and discursive processes’.Footnote ⁴⁰ For Hansen and Nissenbaum, even the physical components of ‘the digital’ are discursively constructed and given meaning in a cybersecurity context only through the ways in which they are represented in text and image.Footnote ⁴¹

Still, Hansen and Nissenbaum’s emphasis on the difficulty of representing cyber threats visually, and on the instantaneous cascading effects of cyber attacks, seems to suggest otherwise; that even if the physical components of ‘the digital’ are constructed discursively, the materiality of these components, at least to some extent, also matters. In particular, the argument that cyber threats are difficult to represent visually, and that this leads to hypersecuritisation, implies that the material quality of invisibility impacts the way in which cyber threats are securitised. Likewise, the argument that cyber attacks have instantaneous cascading effects, which also contributes to enabling hypersecuritisation, implies that the material property of speed has an impact on the securitisation of cyber as well.

Similar to Hansen and Nissenbaum, moreover, Stevens also includes in his analysis an argument about the difficulties in representing cyber threats due to their invisibility.Footnote ⁴² In contrast with Hansen and Nissenbaum, however, he suggests that what leads to securitisation is not the lack of visual representations, but rather attempts at representing cyber threat scenarios visually. Such attempts, which often consist of cybersecurity exercises and simulations and may also come through popular culture, engender catastrophe scenarios which are typically worse than likely, real-world situations. Stevens stresses, though, that there is an important difference between exercises and simulations on the one hand, and popular cultural representations on the other. In this way, the invisibility of cyber threats may, through efforts to what Stevens calls ‘materialising the virtual’, function to enable security practitioners and politicians to raise the security-stakes in the liberty/security-trade-off and thus legitimise new and more invasive security policy.Footnote ⁴³

Presenting a complementary explanation, Claudia Aradau and Tobias Blanke show how anthropocentric understandings of cybersecurity enable the lowering of liberty stakes in the liberty/security trade-off by giving the impression that data-gathering does not constitute mass surveillance since personal data is only viewed and analysed by computers.Footnote ⁴⁴ Aradau and Blanke even engage directly with the example of bulk interception and show how arguments about the absence of humans in data analysis have been leveraged to make the case for why bulk interception is not harmful from a privacy perspective.Footnote ⁴⁵ Their approach is part of a larger body of ‘data politics’ literature which tends to treat data as part of the material conditions for the production of cybersecurity and more specifically the legitimation of surveillance. Most notably, Evelyn Ruppert, Engin Isin, and Didier Bigo, who coined the concept of data politics, argue that data has world-making effects in the sense that it creates new spaces for the enactment of security politics.Footnote ⁴⁶ In making this argument, they emphasise the invisibility of data by highlighting how the language of the internet ‘is hardly visible or even comprehensible to those who do not write such code’. In this way, Ruppert, Isin, and Bigo suggest that the writers of invisible code hold a certain power in the production of digital politics and accordingly imply that the invisibility of data in itself plays an important part in making possible such productive processes. Aradau and Blanke also emphasise the power that lies in managing largely invisible datapoints, as they argue that algorithmic governance makes digital subjects knowable through ‘othering’ based on anomaly rather than abnormality.Footnote ⁴⁷

In exploring how digital immateriality acts in securitisation processes, these constructivist approaches to cybersecurity undoubtedly offer important insights. By making the case for taking into account how discursive representations of cyber threats are shaped by the materiality of ‘the digital’, they all – albeit in different ways – demonstrate how matter may function as a condition for the intersubjective meaning-making that goes into the securitisation of cyber. They show that immaterial qualities of ‘the digital’ such as complexity, speed, reach, and invisibility make possible certain representations of cyber (in)security. More specifically, they seem to suggest that these immaterial qualities enable the construction of cyber threats as a kind of insecurity which requires the urgent and swift implementation of security measures, even in the absence of concrete threats.

Constructivist approaches to cyber securitisation thus also provide a useful framework for analysing the Norwegian bulk interception controversy. Indeed, we saw in the presentation of the Norwegian bulk interception controversy above that parliamentarians and other stakeholders represented ‘the digital’ with references to many of the immaterial digital qualities highlighted by e.g. Dunn Cavelty,Footnote ⁴⁸ Stevens,Footnote ⁴⁹ and Hansen and Nissenbaum.Footnote ⁵⁰ Recall for instance how Navarsete argued that ‘that which we do not see’ constitutes the most serious security threat,Footnote ⁵¹ invoking the invisibility that Hansen and Nissenbaum call to our attention when arguing that cyber threats hypersecuritise in part because they are difficult to represent visually. Recall also how FFI emphasised how ‘the digital’ and more concretely the internet as a central digital infrastructure is ‘by nature, border-crossing, very large, and complex’,Footnote ⁵² thus mobilising imaginaries of reach and complexity that Dunn Cavelty highlights as central ‘hard facts’ of ‘the digital’. And recall, finally, how NUPI contended that the intelligence services must ‘have tools to follow this [the digital] development which is exponential and extremely fast’,Footnote ⁵³ and as such, justified the implementation of bulk interception with reference to the speed of digitalisation that Stevens raises as an important condition for the governance of cybersecurity.

Still, seeing digital materiality as a conditioning force limits our understanding of how ‘the digital’ acts in and upon securitisation processes. Specifically, the understanding of material agency in terms of passive conditioning, which is more or less explicitly put forth by constructivist cyber researchers, prevents us from properly interrogating how digital immateriality may play a more active role in the production of cybersecurity. By giving analytical privilege to discourse over matter, even when acknowledging the importance of the hard facts and materials of cybersecurity, they miss how ‘the digital’ is not only acted upon but also acts itself. For while the statements revisited here illustrate how digital matter functions to condition discursive representations about cybersecurity, they also give the impression that something more is in play, and, concretely, that ‘the digital’ imposes on rather than structures the discourse.

Active matter: New materialist approaches to digital immateriality

In seeking to account for the more active intervention of digital immateriality in securitisation processes, I now turn to new materialist scholarship on cyber (in)security and discuss how this literature has addressed the material agency of immaterials. As opposed to constructivist securitisation theory, which concentrates on the discursive construction of cyber threats, new materialist approaches emphasise the material properties and agential capacities of matter and hence show how the immateriality of digital matter not only conditions securitisation but plays an active part in the production of cyber (in)security.

One prominent new materialist approach is Thierry Balzacq and Dunn Cavelty’s actor-network theory for cyber security.Footnote ⁵⁴ Actor-network theory posits that all actants – human and non-human – have ‘capacity for agency’Footnote ⁵⁵ and that they are involved in, come into being through, and have productive effects via interactions with other actants. Balzacq and Dunn Cavelty theorise malware, i.e. malicious software, as the central actant of cyber (in)security and argue that it creates spaces which ‘have implications for the way we conceptualise cyber-security, the process that brings actors together, and the type of interventions that are made possible’.Footnote ⁵⁶ In other words, malware acts by creating the spaces within which cybersecurity policy can operate. Concretely, Balzacq and Dunn Cavelty suggest that malware creates three kinds of spaces through its disruptive performance: regional, networked, and fluid spaces. On the one hand, the creation of regional and networked space keeps cyber (in)security manageable, since malware in such cases perform cyber (in)security as confined within stable geographical or computerised spaces, both of which are physical. The creation of fluid space, on the other hand, happens when malware succeeds in breaking down systems to the extent that components in an actor-network no longer have stable relations to each other. This is when ‘networks start to panic’ and cyber insecurity spills over into the public and political realms.Footnote ⁵⁷ In this way, the creation of fluid space may lead to digital hysteria or ‘or strong over-reactions in government circles’.Footnote ⁵⁸ According to Balzacq and Dunn Cavelty, moreover, severe disruptions and their creation of fluid space mark ‘the moment when malware becomes perceptible, sometimes even literally visual’,Footnote ⁵⁹ which also contributes to enabling strong cybersecurity policy responses.Footnote ⁶⁰

To some extent, Balzacq and Dunn Cavelty’s actor-network theory for cyber (in)security is similar to the constructivist approaches. In the quote reproduced above, they claim that malware’s creation of space has ‘implications for the way we conceptualise cyber-security’.Footnote ⁶¹ Elsewhere, they contend that ‘in order to understand the role (and agency) of cyber-incidents, we must understand what they do – how they perform – in their environment, before they are interpreted by actors in political processes’.Footnote ⁶² In this way, Balzacq and Dunn Cavelty suggest that malware acts in securitisation processes by establishing the structures and frames within which policy responses to cyber insecurity are possible. In particular, the assumption of a chronological relationship between immaterial action and discursive construction, where the latter follows the former, reproduces the notion of digital immateriality as condition. Moreover, Balzacq and Dunn Cavelty’s argument that the creation of fluid space through malware activity enables digital hysteria and exaggerated policy responses is reminiscent of Hansen and Nissenbaum’sFootnote ⁶³ and Stevens’sFootnote ⁶⁴ contentions that the invisibility and speed of ‘the digital’ make possible the justification of draconian cybersecurity policy. By both accounts, the immateriality of ‘the digital’ lays the material foundations for public perception and political response.

At the same time, however, Balzacq and Dunn Cavelty’s approach differs significantly from constructivist accounts of digital immateriality by front-footing the activity of malware. For Balzacq and Dunn Cavelty, malware acts not only by conditioning conceptualisation but also by mediating relations and transforming the networks of which it is part. More concretely, seeing malware as a mediator in cybersecurity actor-networks entails seeing malware as an actant which ‘affects whatever flows through’ it, and, as such, as an immaterial cyber component which not only circulates but also ‘affects circulation in cyberspace’.Footnote ⁶⁵ Thus, Balzacq and Dunn Cavelty’s actor-network-theory-inspired approach allows us to see how digital immateriality imposes materially on the securitisation process in ways that are ‘detached from the “intent” of the person who wrote the code’.Footnote ⁶⁶ In other words, malware lives a life of its own and contributes to the production of cyber (in)security in unpredictable and uncontrollable ways.Footnote ⁶⁷

Providing an account of cyber (in)security that more explicitly brings new materialist perspectives on digital immateriality to bear on theories of securitisation, Noran Shafik Fouad argues that the agency of information (and more precisely the actions of code and software) produces what she calls entropic security – a security characterised by uncertainty and disorder.Footnote ⁶⁸ Fouad argues, moreover, that entropic (cyber)security is constituted by three interrelated logics. First, the logic of negentropy marks the need to respond to the entropic nature of cyber (in)security. Negentropy means ‘negative entropy’ and describes anti-entropic security practices which aim to counter the entropic force of information-related threats. In practice, this entails accepting the inherent uncertainty of information and directing security practices towards risk prioritisation rather than elimination. Second, the logic of emergence refers to how the randomness and non-linear activity of information forces cybersecurity practices to redirect their attention away from easily defined enemies and instead towards more complex assemblies consisting of self-organising technical systems and agentic malware as well as human actors and/or states. Finally, the logic of noise describes how cyber (in)security is more mundane than exceptional given the simultaneous physicality and non-physicality of information. Taken together, Fouad holds, these three logics of cyber (in)security should lead us to think differently about the securitisation of cyber threats. In particular, she argues that the notion of entropic security highlights how cybersecurity practices are legitimised through more complex processes where a multitude of actors are involved and interact with the materialities of information and crucially, where the construction of threats is not reliant upon references to enmity and emergency.

For the purposes of this article, Fouad’s (2020) theorisation of information and digital threats in terms of the ‘simultaneous physicality and non-physicality’ of information, and her suggestion that this leads to the governance of cyber (in)security through a logic of noise, is particularly useful.Footnote ⁶⁹ In theorising information as simultaneously physical and non-physical, Fouad particularly highlights how ‘the digital is made of binary codes embedded in machines and are not visible to human beings’ and explains how ‘codes/software hide their complexity in user-friendly interfaces’.Footnote ⁷⁰ She also demonstrates how even the tangible components of digitality are elusive. For instance, users of digital technologies often have the impression that their data is ‘stored in a virtual place’, while in reality data centres are ‘massively physical’.Footnote ⁷¹ Likewise, wireless and hence invisible digital connections are ‘supported by a huge infrastructure of cable systems, under soil or under sea’.Footnote ⁷²

The non/physicality of digital information, Fouad further argues, enables the governance of cyber (in)security through a logic of noise, since it limits ‘existentiality perceptions’Footnote ⁷³ in the security discourse by showing that cyber threats are ‘disruptive rather than destructive’.Footnote ⁷⁴ For Fouad, cyber threats and their inherent non/physicality make noise in the sense of always disrupting digital systems. Hence, they do not represent existential threats that require the suspension of normal politics to implement draconian security policy, but instead mundane threats which can be addressed through normal politics and by implementing security policies that continuously hinder and limit disruptions.Footnote ⁷⁵ In Fouad’s words, a ‘cyber attack is the noise that threatens the system but does not necessarily challenge its existence’.Footnote ⁷⁶ In this way, the non/physicality of digital information and its creation of system-threatening noise produces what Fouad calls a condition of ‘urgency without existentiality’.Footnote ⁷⁷ On Fouad’s account, then, the securitisation of cyber is influenced by the immaterial materiality of ‘the digital’ in the sense that the non/physicality of information enables the swift and urgent securitisation of threats even in the absence of existentiality.

As an advance from critical constructivist securitisation theory, and its view of the immateriality of ‘the digital’ as a conditioning force, the new materialist approaches to digital immateriality discussed here take us one step further in understanding the role of immaterial agency in securitisation processes. By highlighting the non-human agency of malware and of information more generally, the new materialist scholars discussed here demonstrate how immaterial digital materials act in securitisation processes not only by establishing the foundations for the discursive construction of threats but also by taking an active part in that construction by continuously interacting with the human security actors who formulate threat representations.

Applied to the Norwegian bulk interception controversy, moreover, new materialist approaches to digital immateriality provide further insights into how the new surveillance regime was legitimised. Most importantly, Fouad’s notion of noise as a logic of cybersecurity governance offers a promising way of conceptualising how the immateriality of digital materials imposed on the securitisation of communication in the bulk interception controversy.Footnote ⁷⁸ From Fouad’s perspective, the non/physicality of communication (a kind of digital information) represented disruptive noise in the securitisation discourse and enabled the implementation of a surveillance regime meant to continuously address this noise and hinder or limit disruptions. This can be seen, for instance, in FFI’s consultation response, where they stated that the ‘digital ecosystem is used by nearly all societal functions, communication and infrastructure and it is therefore absolutely necessary to understand, manage, make use of and protect’, and that the implementation of a new Intelligence Act which included a bulk interception bill was ‘necessary because the rapid technological development has created and will continue to create new and significant vulnerabilities and risks for state security’.Footnote ⁷⁹

At the same time, though, the Norwegian bulk interception controversy also demonstrates that there may be more in play in the immaterial production of cyber (in)security than existing new materialist approaches suggest. Specifically, the securitisation of communication in the case of the Norwegian bulk interception controversy seems to invoke some sort of existentiality, and hence, Fouad’s notion of noise-governance as security policy that responds to ‘urgency without existentiality’Footnote ⁸⁰ does not provide a precise enough description of the immaterial’s role in the securitisation process. The FFI-quote reproduced above, for instance,Footnote ⁸¹ is indeed imbued with a wish to implement policy which responds to the fundamental, long-term transformation of society and threat politics which digitalisation represents. Moreover, the legitimisation of bulk interception also appears to have been enabled not only by the digitality of threats but also by the threatening nature of ‘the digital’ in itself. As such, accounts of cyber securitisation that refer to malware agency and noisy cyber attacks do not capture the full breadth of the problem.

Digital im/materiality: Abstraction and obfuscation

In order to discern the materiality of ‘the digital’ and subsequently to make sense of how this materiality imposes on securitisation processes, I turn to postmodern philosopher Lyotard’sFootnote ⁸² notion of immateriality and, more specifically, to philosopher of technology Yuk Hui’sFootnote ⁸³ reading of Lyotard in light of recent digital transformations. Lyotard’s concept of the immaterial stems from an exhibition he set up alongside designer Thierry Chaput at the Centre Pompidou in 1984/5. The exhibition was a response to the development of new telecommunications technology and aimed to thematise how it puts into question modern notions of humans’ relation to their material – often technological – surroundings.

More specifically, Lyotard suggests the concept of the immaterial to capture how seemingly non-material technologies that have a physical fundament confronts us with a new kind of matter which is neither material nor non-material but rather something in between and a bit of both.Footnote ⁸⁴ For Lyotard, then, the concept of the immaterial ‘defines the realm of the physically imperceptible’;Footnote ⁸⁵ it is material in the sense that it consists of physical components and non-material in the sense that it cannot be immediately perceived by the human senses. Hence, it is best captured by the term immaterial, which mobilises the prefix ‘im’ to negate the notion of a binary relationship between that which is material and that which is not. Since it operates in spatiotemporal registers that evade our senses, moreover, the immaterial refuses control and becomes unmasterable, meaning it constitutes a technology which cannot easily be manipulated by human actors but instead acts upon humans in mysterious and largely ungraspable ways.Footnote ⁸⁶

Revisiting Lyotard’s notion of the immaterial around 30 years after the Les Immateriaux exhibition, Hui suggests that the immaterial is helpful for understanding what the digital is materially, as it has evolved since the revolution in telecommunications that Lyotard reacted to in the 1980s.Footnote ⁸⁷ To arrive at an immaterial ontology of the digital, however, Hui begins by elaborating on traditional ways of understanding the digital in digital physics and in media theory.

The digital physics approach understands the digital in terms of 1s and 0s. Inspired by Leibniz’s monadology and seeking to establish a metaphysics of simple substances, this approach posits that ‘any digital being … can be reduced to its binary composition’.Footnote ⁸⁸ On this account, the digital consists materially of the tiniest bits and pieces which constitutes it and is given its characteristic features by the concrete ways in which these bits and pieces relate and are organised. While helpful, Hui argues, this approach is limited since it ultimately conceptualises the digital in highly abstract terms. Understanding the digital in terms of 1s and 0s may seem like a radical concretisation of digital materiality, but in effect it conceals the digital’s material foundations by leaving the concept of the digital abstracted. The digital physics approach, Hui claims, presupposes the question of materiality, i.e. the question of what the digital is materially in the sense that it prioritises ‘information [as organised by 1s and 0s] over matter and energy [the material foundations of the digital]’.Footnote ⁸⁹

Media theory, on the other hand, instead reduces the digital to its physical components, i.e. the materials that support the digital and make possible its practical operation. One influential media-theoretical approach called forensic materiality advocates for ‘analysing traces in a computer, going beyond what is visible on the screen’.Footnote ⁹⁰ Forensic materiality thus decomposes digital objects in order to reveal and make visible and tangible the material foundation that undergirds the abstract concept of the digital. Hui sees this approach as a necessary corrective to the digital physics approach, since it renders the concrete matter of the digital visible instead of concealing it. For Hui, however, this approach is also limited since it makes the digital almost too physical, which in a sense also conceals the materiality of the digital. By emphasising the tangibility of all digital matter, media theory makes the error of understanding the ‘condition of being material … a synonym of its materiality’,Footnote ⁹¹ i.e. it confuses materiality with physicality. While forensic materiality can helpfully ‘be applied to any kind of technical object’ in order to show how technical objects and their often imperceptible operations are composed of physical matter, it contributes little to ‘the clarification of the digital’.Footnote ⁹²

To clarify the digital, then, Hui suggests turning to Lyotard’s notion of the immaterial. The immaterial, Hui holds, is precisely what we normally refer to as the digital today and, as such, can cast light on what the digital is. Lyotard’s notion of the immaterial occupies a middle ground between the digital physics and media theory approaches as it rejects both the abstraction of 1s and 0s and the concretisation of technical objects and instead insists on the simultaneous materiality and non-materiality of digital matter. In occupying this middle ground, moreover, the immaterial offers a radically different way of thinking about digital materiality as such. It does so not only by rejecting exaggerated abstraction and concretisation, but also by refusing to take the question of substance as the starting point for its critique. Both digital physics and media theory ‘start with and end up with substance’,Footnote ⁹³ in the sense that they build their account of digital materiality from observations of the physical existence of binary code and technical objects respectively. The immaterials approach, meanwhile, seeks to move away from substance and approach digital matter as constituted by relations instead. This means that it takes digital materiality to consist not of the digital’s physical components but rather of the energy produced by the ways in which these components interact.

Crucially, moreover, Hui argues that the digital stands out from other immaterials such as Lyotard’s telecommunications technology since the interactional energy it produces and hence its material force consists of data.Footnote ⁹⁴ Technology has a general tendency, Hui explains, to concretise relations and in this way render ‘the invisibles visible’.Footnote ⁹⁵ For instance, ‘writing puts thoughts and perceptions on paper; pulleys, wheels and chains concretise imaginary movements in mechanical terms; the vapour engine instantiates flows of energy in the relations between water, fuels, pipes and gears’.Footnote ⁹⁶ The concretisation of relations through data, on the other hand, is different since it does not render invisibles visible but rather keeps invisibles invisible and abstract even in concretised form, since data – while technically physical – is for all intents and purposes imperceptible.

As such, the digital constitutes a materiality which is not conditioned by ‘the subjective grasp of relation’,Footnote ⁹⁷ meaning it acts as a material force independent of human perception and understanding of the relations it concretises. Indeed, it is precisely in the elusiveness of the digital, and in the digital’s capacity to evade the human senses while it is knowingly physically present, that the material agency of the digital lies. As Mark Weiser famously argued: ‘The most profound technologies are those that disappear.’Footnote ⁹⁸ As Hui’s reading of Lyotard’s concept of the immaterial shows, the concretisation of relations in data form is one particularly effective way for technologies to disappear, and, following Weiser, thus also a powerful way for digital technologies to act in and upon processes of social and political ordering.

Importantly, though, data as a site for the production and enactment of politics has been explored before. Recall for instance Isin, Ruppert, and Bigo’s argument that data has world-making effects and that the invisibility of data plays into how it makes worlds.Footnote ⁹⁹ Moreover, a relational ontology, and more specifically an emphasis on the relationality of data, is nothing new either: new materialist approaches to cyber (in)security all assume that humans and non-humans do not have a pre-relational existence and form but rather emerge from and gain political salience through their interactions with other components of the actor-network or assemblage. For instance, Balzacq and Dunn Cavelty’s theory of cybersecurity actor-networks relies on a ‘generalised ontological symmetry’, meaning it takes ‘different kinds of entities (humans and nonhumans) [to be] involved in relational productive activities’.Footnote ¹⁰⁰

Different from previous ‘data politics’ and relational approaches to cyber (in)security, though, Hui’s argument that ‘the digital’ consists of data relations and the energy produced by data interactions highlights how ‘the digital’ may act as a unitary entity and material force in its own right and not only via the material relationality of its component parts, and through the interactions between these components and human security actors.Footnote ¹⁰¹ Through this focus on data relationality, moreover, Hui’s approach also brings out the distinctly im/material quality of digital matter, which often gets sidelined in existing new materialist approaches. Focusing on the im/material (material but intangible; simultaneously physical and non-physical) elements of ‘the digital’ (like code and software) and how they interact with the human actors involved in cybersecurity, new materialist approaches locate the political salience of digital immateriality in relations between humans and non-humans. Hui, on the other hand, locates the political salience of ‘the digital’ in relations between data, and the immaterial energy produced through such relations, since it is in the im/materiality of ‘the digital’ and not in the relations between the material and immaterial components of digitality that the primary material force of ‘the digital’ and its capacity for political action lies. This does not mean that ‘the digital’ does not interact with human actors through its material components, but rather that ‘the digital’ in itself – a category of technology rather than a concrete technology, e.g. in the form of a device or a piece of equipment – interacts with humans and influences how they socially construct policy issues by imposing its energetic presence on the discourse. Different from the way in which concrete technologies like smartphones or the internet or artificial intelligence would impact their own construction by interacting directly with the human actors who represent them, ‘the digital’ impacts the construction of policy issues (like security) by providing an entirely new lens through which we view and make sense of them.

Indeed, the material and immaterial quality of ‘the digital’ has – as we saw above – also been addressed in the literature, most explicitly by Fouad, who conceptualises digital information in terms of the simultaneous physicality and non-physicality of code and software.Footnote ¹⁰² However, Hui’s understanding of ‘the digital’ in terms of its data ontology differs significantly from Fouad’s understanding of ‘the digital’ in terms of its information ontology, in the sense that it emphasises how ‘the digital’ acts through the im/material properties of data rather than through the material properties of immaterial digital components like code and software.Footnote ¹⁰³ This is shift in perspective is important not only because it brings out how ‘the digital’ acts in its own right and not only through the relations between its component parts and human actors, but also because it shows how the political agency of ‘the digital’ lies in its capacity to concretise relations through further abstraction and obfuscation.

Im/material securitisation: Exceptionality without urgency

What does it then mean to invoke ‘the digital’ in a security controversy, and more precisely, in efforts to securitise cyber threats? How does immaterial materiality impose on and animate the securitisation process? One clue can be found in Lyotard’s suggestion that the Les Immateriaux exhibition was meant to generate unease, indicating that immaterials engender cyber insecurity by invoking a vague and permanent kind of uncertainty.Footnote ¹⁰⁴ Another (and more important) clue can be found in Hui’s argument that the political stake in an immaterial concept of the digital is connected to the use of data for commercial as well as intelligence purposes, which suggests that digital immateriality may primarily produce cross-sectorial, society-wide insecurity.Footnote ¹⁰⁵ As such, the immateriality of ‘the digital’ may at first sight be seen to contribute to what Jef Huysmans has called the unbinding of security, whereby insecurities are scattered and diffused across societal domains and permeate everyday life, and, hence, where securitisation turns mundane matters such as digital communication into issues of security.Footnote ¹⁰⁶ Yet Hui’s notion and political reading of ‘the digital’ points in the direction of a more precise diagnostic of the securitising dynamics at play when ‘the digital’ acts.

Hui argues that an im/material conception of ‘the digital’ reveals a political condition in which material relations concretised as data and metadata are profitable for commercial as well as state actors. Hui thus implies that by appreciating the im/material quality of ‘the digital’ we may see how digitalisation enables what he has elsewhere described as a ‘new mode of reification and control’.Footnote ¹⁰⁷ To clarify this point, Hui also writes that the ‘criticality’ of this new political condition ‘is also in the process of disappearing’.Footnote ¹⁰⁸ By this he does not mean – I take it – that the criticality of data-governed politics and society is currently disappearing in the sense of losing relevance or potency, but rather that the criticality of such a politics lies precisely in its continuous act of disappearing. That is, the digital is a powerful political force because it systematically avoids capture. As such, Hui invokes Weiser’s famous dictum referenced above, which posits that disappearing technologies are the most pervasive, since they become invisible through ubiquity and powerful through being taken for granted.Footnote ¹⁰⁹

On this account, ‘the digital’ can be seen to construct security threats precisely by obscuring them and hence contributes to the production of cyber (in)security by disappearing into the background, a position from which it presents an ever-present, atmospheric source of insecurity and unease. By concretising immaterial components of cyber (in)security through keeping the invisible invisible and hence by abstracting and obscuring that which is technically physical and tangible, ‘the digital’ represents a threat in itself. This perspective contrasts Stevens’s argument that attempts at representing digital threats visually function to ‘materialize the virtual’Footnote ¹¹⁰ and hence typically have the effect of raising the stakes involved in cybersecurity policy by constructing cyber (in)security in overly apocalyptic terms.

Informed by Hui’s data-ontological approach, we can see that ‘the digital’ acts in and upon the securitisation process by raising the security stakes in the liberty/security-tradeoff, not by allowing for the construction of catastrophe scenarios, but by representing a threat in and of itself. By continuously disappearing into the background and representing an ever-present and looming danger, ‘the digital’ acts through further abstraction and obfuscation, rather than through enabling concrete representations. In a way, then, a Hui-informed approach to securitisation is more in line with Hansen and Nissenbaum’s argument that it is the invisibility of digital threats, rather than attempts at compensating for that invisibility, that leads to securitisation.Footnote ¹¹¹ At the same time, a Hui-informed approach departs from Hansen and Nissenbaum’s constructivism by showing how invisibility is not a limit of representation but rather an agentic property of ‘the digital’.

Seeing ‘the digital’ through Hui’s lens, then, seems to enable the governance of cyber (in)security and more precisely influence securitisation of digital communication by saturating the cybersecurity discourse with permanent and indeed existential uncertainty. By disappearing into the background and thus constituting an omnipresent and foundational threat, ‘the digital’ functions to legitimise the implementation of draconian security policies, meant as a response not to immediate and concrete threats, but to a drastically changed security situation, where a digital atmosphere of lasting uncertainty makes invasive mass surveillance seem natural and necessary. Instead of enabling the governance of cyber (in)security through the logic of noise and a sense of urgency without existentiality, ‘the digital’ thus conversely enables the governance of cyber (in)security through a sense of existentiality without urgency. Through its invisible and complex omnipresence, and via the promise of speedy development and ubiquitous impact, ‘the digital’ creates a security situation which requires invasive robust action that offers to build a digitally resilient defence, but which does not – and for the very same reasons – require swift and urgent implementation. Indeed, the Norwegian bulk interception controversy, and in particular the Norwegian parliament’s decision to postpone the inclusion of the bulk interception clause in the Intelligence Act in lieu of a clarification of the potentially human rights-violating of bulk interception regimes generally from the ECtHR, indicates that the threat of digitalisation is of a type that demands solid grounding and thus cannot operate through a suspension of normal politics, like classical securitisation theory might suggest.

To further explicate what kind of securitisation the im/material agency of ‘the digital’ enables, and more specifically, to further detail how cyber securitisation as response to existentiality without urgency may operate, we can locate the Hui-informed approach to cyber (in)security in relation to two prominent logics of cyber risk governance recently identified and presented by Sarah Backman and Tim Stevens.Footnote ¹¹² Backman and Stevens argue that governance of risk and uncertainty in the cyber domain operates after two main logics: risk as potential threat and risk as uncertainty. Risk as potential threat means that the risk to which cybersecurity policy responds is understood in terms of a potential threat that may be actualised in the future. Risk as uncertainty, on the other hand, entails an understanding of cyber (in)security in terms of the constitutive uncertainties and, more precisely, the socio-technical vulnerabilities of digital systems and infrastructures.

Hui’s notion of ‘the digital’ as im/material, and, consequently, the role that ‘the digital’ plays in processes of securitisation, carries elements of both of the security logics identified by Backman and Stevens and may thus be seen to sit somewhere on a spectrum between them. On the one hand, im/material securitisation responds to potential threats in the sense that ‘the digital’ is a vehicle for unpredictable future threats. Specifically, the im/material quality of ‘the digital’ makes potential cyber threats seem more ominous since it obscures and abstracts the nature of such threats. In the bulk interception controversy, we saw this e.g. through Navarsete’s emphasis on the invisibility of digital threats and her argument that ‘that which we do not see’ is ‘more difficult to combat’.Footnote ¹¹³ On the other hand, im/material securitisation also responds to longer-term uncertainties in the sense that ‘the digital’ represents a fundamental change in the conditions for the governance of cyber (in)security. In particular, the im/material quality of ‘the digital’ makes uncertainties seem more ubiquitous and complex. This is perhaps best captured by, for example, Gram’s argument that ‘we cannot have an analogue defence in a digital world’.Footnote ¹¹⁴

The contention that statements from the Norwegian parliamentary debates about bulk interception – such as Navarsete’s or Gram’s referenced here – show that ‘the digital’ acts in and upon securitisation processes requires qualification, however. I have made the case that ‘the digital’ acts through its im/material properties and suggested that such action is visible in discursive representations. This raises an important methodological question about how we can discern and recognise material agency in discourse, and in securitisation discourses more specifically. More concretely, how can we tell if and to what extent, for example, Navarsete’s and Gram’s statements cited above were influenced by the im/material agency of ‘the digital’?

To address this question, Tom Lundborg and Nick Vaughan-Williams’s notion of radical intertextuality is helpful. They argue that the new materialist turn in IR and security studies is problematic since its emphasis on ‘the politics of materiality over that of language and representation perpetuates rather than challenges the notion of a prior distinction between language and materiality’. To overcome this problem, they suggest turning to the materialist sensitivity that lies latent in poststructuralist discourse theory. Of particular use for the present article is Lundborg and Vaughan-Williams’s analysis of Derrida’s notion of ‘force’. For Derrida, they explain, materiality and language are characterised by a ‘mutual imbrication’, which means that ‘it is impossible to assume any sort of “pure material” realm that is uncontaminated by language (and vice versa)’. ‘Matter “is” not anything’, they continue, and can ‘only be understood as part of a complex and radical intertextuality’ or ‘the generalised text’. Animating the generalised text, moreover, are what Derrida calls forces: ‘often invisible or impalpable’ political moves that cut across the language/materiality divide and which ‘entail closures in the attempt to delimit a specific context’.Footnote ¹¹⁵

From the perspective of radical intertextuality, the question of whether we can discern the effect of material agency in discursive representation makes little sense. Language and materiality are ‘mutually imbricated’ and hence cannot be separated analytically. We cannot know, then, if statements given by parliamentarians about digital security are a result of the im/material agency of ‘the digital’ per se. Importantly, though, this is not a methodological concession, but an acknowledgement of the complexity of discursive/material meaning-making. Taking seriously this complexity, we should not identify signs of discernible material agency in discursive representations but instead try to look for the activity of force within the generalised text. Seeing ‘the digital’ as a force in Derrida’s sense, representations of ‘the digital’ in security discourses express, not the exact effect of digital im/materiality on the securitisation of cyber, but the im/material activity of ‘the digital’ in producing the conditions of possibility for security politics.

Exceptionality without urgency can thus be seen as a mode of securitisation which is enabled, in part, by the im/material force of ‘the digital’. ‘The digital’ is a force that acts in and upon securitisation processes by making current threats abstract and obscure, and by making future threat scenarios more uncertain. In this way, ‘the digital’ makes possible the implementation of a security policy which maximises data access for the intelligence services to use for calculating and pre-empting risk and, crucially, the long-term legitimation of such policy, since digital development constitutes a fundamental and permanent uncertainty.