‘What’s in a Name?’: How Does the UK Government and Media Construct Cyber Actors?

Abstract

Understanding how cyber actors are labelled is important to effectively respond to cyber threats. It has been
suggested that cyber is becoming increasingly connected to national security concerns, a process called securitisation. This
research sought to take a first step towards understanding if securitisation is occurring through examining the evolving
conceptualisation of cyber actors in the UK. The research reviewed cybercrime reporting from the UK Government and three
UK media websites between 2019-2023, taking a mixed methods approach using thematic analysis to group cyber actors,
and content and statistical analysis to detect shifts in these categorisations. The research identified six primary categories
used to conceptualise cyber actors: Attackers, Companies, Criminals, White Hats, Hacktivists, and Nation States. The research
identified significant changes in multiple subcategories between 2019-2023, influenced by events such as COVID-19, the
2021 Colonial Pipeline ransomware attack, and the changing geopolitical landscape. Notably, there was an increased
tendency to associate cyber actors with nation states, particularly evident following the Colonial Pipeline attack which
correlated with a shift towards linking cybercrime groups to states, and the 2023 TikTok ban on government devices which
saw an increase in companies conceptualised as state influenced. The results also suggested the type of act does not always
determine the perception of cyber actors, instead geopolitics appears to have greater influence on conceptualisations. The
research additionally found that terms for cyber actors (such as Hackers) are often used loosely and interchangeably.
Furthermore, the categories of actors formed a spectrum, especially blurring distinctions between state and criminals. The
research recommends organisations consider language around cyber actors more carefully. Further study is recommended
to understand if the results found are evidence of securitisation of cyber actors or a consequence of increased state cyber
activity.