Over the last couple of weeks we’ve seen the FBI and international law enforcement groups arrest members of the LulzSec and Anonymous groups for their computer hacking activities. For the last five years or so these (and other) groups had been launching an accelerating set of attacks on commercial and governmental computer systems. Since they weren’t doing it for profit, and instead seemed motivated largely by personal political leanings, this was all considered “hacktivism”. Of course the activities were criminal. Of course these “super-hackers” used technology to hide themselves from the authorities. And, in truth, as long as their activities were limited to minor stunts meant to send political messages Law Enforcement wasn’t going to put a lot of resources into stopping them. But they were so righteous (particularly in their attempts to support WikiLeaks), and thought themselves made so invincible by the anonymity they maintained on the web, that they fell victim to two mistakes. They accelerated their activities to the point that they woke the sleeping giant. And they forgot that Law Enforcement has a long history of dealing with “organized crime”. In the end they were knocked down a couple of notches by classic law enforcement techniques. More importantly they woke the FBI up to the increasing risk of cybercrime, to the point that a few days ago FBI Director Robert Mueller told RSA Conference attendees that Cybercrime was on its way to eclipsing Terrorism as the greatest threat to the United States. And that the FBI was organizing to fight Cybercrime using what it had learned in the fight against Terrorism. Legislation for fighting Cybercrime is also now a hot topic in the U.S. Congress, which should have us all both relieved and terrified at the same time (since generally speaking Law Enforcement has used new powers given to them by Congress to do more than Congress intended, such as apply RICO to non-organized crime activities).
For those who don’t follow the story a very brief summary. A disaffected member of LulzSec (and Anonymous) figures out who a key leader of LulzSec is and this information gets to the FBI. The FBI goes after the leader, and apparently offers to keep him out of prison if he helps bring down the group. The leader cooperates and helps the FBI gather information about group members, their activities, etc. Eventually the FBI decides it has what it needs and the arrests follow. Does this sound much different from how the FBI has brought down organized crime groups in the past? Think “Sammy the Bull” Gravano and the Gambino crime family as a well-known example.
Think back to the late 1960s and early 1970s where anti-war protests spawned leftist activism groups that used civil disobedience which themselves spawned ever more radical groups that were willing to use violence, like the Weather Underground and its bombings of corporate and government buildings (including the U.S. Capitol). Lulzsec and Anonymous were becoming the Weather Underground and Red Army Faction (aka, Baader-Meinhof Gang) of the Internet age. That was something Law Enforcement couldn’t ignore.
Some months ago, when LulzSec launched an attack on the CIA, I tweeted about how silly it was to launch a cyber attack on organizations who’ve declared that such attacks could warrant a kinetic response. I was only half-joking. Governments, the U.S. included, will use force to stop cyber attacks. Particularly attacks that put lives at risk. In this regard perhaps LulzSec and Anonymous members have been lucky that Law Enforcement got to them first. If a CIA operative were to lose their life as a result of hacking, I’m not sure the CIA’s response would necessarily involve “due process”. And if hacking resulted in the CIA, FBI, etc. failing to stop a terrorist attack the public would certainly be calling for blood.
Just as Sammy Gravano’s testimony brought down the leadership of the Gambino crime family, but didn’t destroy the family let alone the whole “Cosa Nostra”, the recent waves of arrests will not eliminate cybercrime, hacktivism, or even the Anonymous group (though it probably did end LulzSec itself). They’ve just made a temporary dent. But the sleeping giant is awake. Just as the need to fight organized crime lead to the RICO statutes, Congress is likely to pass laws to make it easier to fight cybercrime. Just as 9/11 lead the FBI and other government agencies to focus on fighting terrorism, they are now organizing and gearing up to fight cybercrime. Likewise, just as 9/11 made companies and government organizations hyperaware of the need for better physical security the attacks by LulzSec and Anonymous may finally have shaken them up enough to really focus on cybersecurity. And not a moment too soon.
In some ways I really want to thank the members of LulzSec and Anonymous for waking up the world to the dangers of Cybercrime and Hacktivism. A few years back I suffered directly from the result of Hacktivism, as a group broke into the web site of a political candidate they didn’t like, stole credit card information (including mine), and then released it publicly to embarrass the candidate. Hacktivism has now become a leading cause of Identity Theft and invasion of privacy, which is why the fight against it should matter to even those who support its political goals. On the other hand I worry about the loss of freedom that might result from fighting Hacktivism. For example, during the recent legitimate protest activities against the SOPA and PIPA legislation attempts were made to discredit protesters by suggesting a link with the hacking activities of Anonymous. Will new legislation and zealous law enforcement cross what are often fine lines between legitimate and unacceptable activities? No doubt. And that’s something we’ll all have to be on guard for.
Have we entered a new era in the fight against Cybercrime, and its Hacktivism guise? I think so. The next few years are likely to be exciting and (hopefully just electronically) bloody. Or maybe we’ll all get lulled back into a false sense of security until a cyber-9/11 occurs. But with any luck we can combine an active fight against Cybercriminals and Hacktivists with the continued march towards systems that are significantly harder to hack to relegate this problem to “just” another part of society’s darker side. Sadly that is the best we can hope for.