Submit your essay to the AI-Cybersecurity Essay Prize Competition by January 2, 2025.
The AI-Cybersecurity Essay Prize Competition

Masculinity can influence cyber strategy

James Shires and Kate Millar examine how different kinds of masculinity shape the evolution and implementation of modern cyber defence strategies in the United States and beyond
Main Top Image
Image created with the assistance of Midjourney

In 2023, the US Cyber Command deployed specialist cybersecurity teams 22 times to help find vulnerabilities in the networks of partner countries. This marked a significant expansion from around 50 deployments across the previous five years. The programme, known as “Hunt Forward”, has gathered much momentum among cybersecurity policymakers but is highly controversial. Supporters point to how it practically contributes to the partner state’s cyber defences and helpfully adds new data to public cybersecurity repositories. However, critics point to undeclared intelligence collection opportunities and the escalation risks from adversaries’ perception of direct US involvement.

The United States is not alone in conducting hunt-forward operations. The United Kingdom has also stated that it conducts such operations, and Canada has collaborated with the US on hunt-forward campaigns. A recent review of such operations was published by the UK defence company BAE Systems, which has a significant stake in international cybersecurity capacity-building, including in places like Ukraine where hunt-forward operations have been deployed. 

The review emphasised that they are “purely defensive operations, but the label of ‘hunt forward’ can lead to them being misunderstood as offensive”. At the London conference where this report was launched in November 2023, several attendees lamented the name ‘hunt forward’, saying that although it created confusion, it was necessary to sell cyber defence operations internally within the military hierarchy.

What’s in a name?

In a recent article, Kate Millar and I put forward a perhaps surprising suggestion: that gender creates informal requirements for what constitutes a good operation or strategy. We refer to this phenomenon as “masculinist actionism”. Drawing upon the work of Brent Steele, we argue that militaries and other state institutions are caught in the midst of a broader social change between two idealised forms of masculinity. The first is “martial masculinity,” which valorises the traditional warrior willing to fight and die for his country. The second is “tech masculinity,” which celebrates the stereotypical geek who finds ways to unravel technologies through individual genius – and social awkwardness. In short, Rambo and Mr Robot, James Bond and Q.

This interaction between masculinities plays out across society, in films, media, and individual career decisions. It manifests in state institutions such as the military through stereotypical masculine dress: jeans, T-shirts, trainers and flip-flops for tech masculinity (not to mention the cliched hacker hoodie) as opposed to suits and ties or combat fatigues for military masculinity. 

There are also more pernicious and problematic manifestations. Journalist Barton Gellman’s summary of US National Security Agency (NSA) code names for different stages of a cyber operation, discovered as part of the Edward Snowden leaks, included titles like BLINDDATE, HAPPYHOUR, NIGHTSTAND, and SECONDDATE, culminating in PANT_SPARTY. He concluded that “sexual exploitation is an official metaphor of [cyber] operations, passed up the chain of command in operations reports and back down to the lower ranks in training materials”.

Gendered policies

Gendered distinctions also emerge in policy throughout the history of cyber operations. US Army officer and academic researcher Sarah P. White traces the history of US Navy cyber operators back to pre-1995 restrictions on women in combat and the consequent formation of the shore-based General Unrestricted Line Community (GURL), which specialised in electronic communications. The naming of this group is surely not coincidental, with gendered – and indirectly demeaning – designations devaluing the status of cyber operations (at least then). 

The gendering of cyber strategy means that policymakers must satisfy not only a whole host of political and bureaucratic constraints in introducing strategic change but also manoeuvre within boundaries set by the influences of this dual masculinity.

What does this look like in practice? ‘Hunt forward’ offers some clues. A label that practitioners find cumbersome and diplomats awkward nonetheless became the key framing for the strategy. Why? Because alternatives, like BAE’s distinctly unflashy suggestion of “deployed cyber defence”, could not generate the required support from senior officials, nor the sense of cool, daring adventure for those involved. At both levels, this is masculinist actionism at work: it is better to be hunting than defending, even if this requires verbal and logical leaps of the imagination.

But ‘hunt forward’ is far from alone. In the article, we analysed the US strategies of ‘persistent engagement’ and ‘defend forward’, suggesting that they offered a more attractive alternative to deterrence due to a complex shifting background of masculine ideals and preferences. The maligned concept of cyber deterrence was seen – in line with feminised tropes – as weak, passive, and reactive, while persistent engagement would ‘take this fight to the enemy’, meaning the United States would not just ‘sit back and take it’.

Another example we discuss is the label of ‘active defence’, which usually refers to a policy wherein many organisations – from the military to government departments to private companies – would be encouraged (or entitled) to act outside their ‘home’ networks, domestic or worldwide. For some, active defence involves tasking non-state actors with ‘hacking back’ after cyberattacks. This strategy repeatedly reaches state and federal levels in the United States, but has so far always been rejected.

Policymakers reject active defence not just because it is a bad idea, administratively speaking, or even because it increases the risks of conflict. At the levels of label and implementation, it fails to find the sweet spot between being sufficiently ‘tech masculine’ to resonate with digital natives and sufficiently ‘military masculine’ to meet the approval of soldiers steeped in ideas of physical bravery and state domination. The concept of active defence goes too far away from military masculinity, undermining the power of the state, in general, and defence and national security, in particular.

While our argument focuses on the United States, there are implications worldwide. The interaction of tech and military masculinities differs in different social contexts, and so the UK’s hunt-forward operations will likely end up sounding – and being used – differently to those of the United States. However, in a year when polls put Donald Trump very close to the US presidency, we should not underestimate the role of gendered shorthand in shaping cyber strategy. From a White House formerly motivated by the idea of “making the other guy bleed” in cyberspace, in the words of a senior Trump official, the baked-in masculinities of the language and ideas used to describe this digital domain really matter.

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.