Hacktivism: Communication Plays Key RoleIt's More About the Message than the Technology
Hacktivist attacks are increasing, but are organizations taking the right action to mitigate risk? Researcher Gregory Nowak says "no."
See Also: A Guide to Passwordless Anywhere
Nowak, principal research analyst for the Information Security Forum, an independent global authority, says groups such as Anonymous and LulzSec wage war not for financial gain but for reputational damage.
That's why it's critical that every organization approach hacktivism with a public-relations strategy in mind. The PR department is best equipped to determine where the organization is sensitive, and what types of complaints are being made about the company within the marketplace. PR should work closely with IT and security departments, he says, but the PR group must play an integral role.
"I'd also advise organizations to consider having an internal simulation, to perhaps have a facilitator of some sort come in and help them simulate a hacktivist attack and figure out what the organizational responses would be," Nowak says.
Understanding the cause behind the attacks can ensure organizations are better prepared to not react.
Second is organizational awareness. "There's a need for new kinds of teams and the new sorts of internal relationships," he says, "with the corporate legal department and the public-relations department."
Most organizations also could benefit from having a hacktivism working group - a group that meets occasionally to just discuss emerging hacktivist threats.
During this interview, Nowak discusses:
- Steps information-security and risk-management teams should take to raise awareness;
- Proactive measures to mitigate hacktivist risks;
- How incident response can preserve, and sometimes enhance, organizational reputation.
Nowak is a member of the ISF Global Team in the United States, where he is responsible for delivering client-facing projects. Nowak has contributed to ISF projects on hacktivism, cyber-citizenship and securing mobile devices. He also is responsible for ISF's Information Risk Analysis Methodology and has represented ISF as a speaker at industry conferences such as the MISA Annual Conference and the Software Assurance Forum.
Nowak has worked as an information security professional for more than 10 years in Fortune 500 companies and consultancy firms. He has experience in a wide range of information security disciplines, with a focus on software development, business continuity, and data and content management applications.
Taking Hacktivism Seriously
TRACY KITTEN: Is hacktivism a concern that many organizations have neglected to take seriously?
GREGORY NOWAK: Yes, I would say they have neglected it because they have looked at it as primarily an IT problem or a problem for their web group because hacktivist attacks tend to target online presence. But the point of a hacktivist attack, an attack on the reputation of an organization, is it's a kind of public relations war and I think most organizations are not prepared to fight a public relations war on the Internet front.
A Business Problem
KITTEN: You've noted before that hacktivism is a business problem, not necessarily a technology problem. Can you explain why you think it's a business problem and not something that should be addressed from a technical perspective?
NOWAK: Every corporation and organization has a certain amount of goodwill in the marketplace. They protect their brands; they want to maintain their brand reputation. And that's not a technology problem; that's a business issue. Maintaining an organization's reputation is a priority across the entire business, and to the extent that an organization views hacktivism as a technology problem, they're missing the boat.
Hacktivism is just using technology as a means to an end, and the end of hacktivism is to air a grievance or protest policies of a company, and most companies and organizations aren't even aware that this is the objective. They see hacktivism as kind of a technological nuisance and expect that it's going to be dealt with merely by their IT department, and they do not have measures in place to prepare them for a public relations war or to take steps that they need to take in order to maintain their reputations.
Investing in Technologies
KITTEN: Don't you suggest that organizations invest in technologies that would protect their online environment?
NOWAK: Oh, absolutely. And that's the first step. The reason that I don't stress the technical aspect of hacktivism is because technically there's really nothing new to what we've been calling hacktivism. Various sorts of attacks - denial-of-service attacks, e-mail bombing, petitions, online organizing - all of this has been around before; now we just have this label, and it's gotten more popular. But thinking of it as a technical problem that needs to be solved technically doesn't address the new elements. The technical stuff should have been taken care of years ago, and hopefully these organizations have their security measures in place, whether or not the sorts of risks they're dealing with are called hacktivism. And what I like to do is I like to call people's attention to what's truly new about hacktivism, which is the public relations aspect that's using the Internet as a medium, and that's where organizations need to invest their effort, assuming that technically they're already fairly secure.
Banks: A Common Target
KITTEN: You noted earlier in the call that hacktivism is really about reputational risk, and I'd like for us to take a look at the financial sector specifically. Why should hacktivism be an issue that banks take seriously?
NOWAK: Banks in particular are running a reputation business. Once a bank is seen as less able, less secure or less ethical than its peers, it tends to suffer in the marketplace, and that's long-term damage. And hacktivists waging a public relations war are trying to tarnish the reputation of organizations. And the reason we should be concerned about hacktivism is because for a relatively small investment of effort with relatively simple technical means they can have a disproportionately large effect in damaging the reputation of an organization. And once customers have a negative view of an institution, that stays with them for a long time. They take their business elsewhere. So financial institutions in particular that rely on goodwill and merit - their own good reputations with customers - need to take this seriously as a threat to their business, not just to their technological front.
KITTEN: Do you believe that hacktivist attacks will get worse?
NOWAK: I certainly do, because to the extent that there are activists who are willing to put in time and effort to air their grievances with an organization, they're going to discover more and more that using online means to air those grievances gives them more bang for the buck in airing their opinions and causing grief to their target, and with less risk to themselves because anyone who's willing to risk arrest for demonstrating in front of a building will find it easier to do something online where they're not putting themselves at risk physically and they can have a much greater impact and much greater likelihood of making national news with their activism online.
Hacktivists' Motivations: Beyond the Norm
KITTEN: When we talk about hacktivism, we often think about socially or politically motivated attacks. What different motivations do you see emerging behind some of these hacktivist attacks?
NOWAK: There are all sorts of motivations that have triggered hacktivist attacks. For example, there can be grievances with particular products where companies produce certain products that are used in ways that activists disapprove of or they can have business practices, child labor, or particular stances on political issues. For example, a lot of hacktivist attacks have been associated with intellectual property issues. There have been cases of revenge - for example the famous HBGary case - where the HBGary information security firm was saying that they were protected and they didn't have anything to worry about; and as a matter of just sort of a revenge strike, there were hacktivist attacks on them. Whatever motivation could cause someone to have a grievance with a company can attract hacktivists' attention, and with a relatively small investment of effort they can become a target.
KITTEN: Do you think that we can expect or should we be concerned about organized crime joining forces or getting behind some of these hacktivist groups?
NOWAK: Actually - surprisingly - no, because the primary purpose of hacktivist attacks is to attract attention to themselves and to their issue. They have a particular grievance with a company. And what we've seen is that hacktivists tend to distance their activities from things that would be considered criminal because they want to stress that they have an opinion that they want to publicize. They're not after financial gain.
These are the two ways in which they're distinguished from criminals. Generally, criminal activity online tries to be concealed, tries to be secretive, maintains secrecy and goes after only financially valuable targets - credit card information or valuable information that can be resold. Since hacktivists are trying to demonstrate that they're not in it for the money and they're trying to publicize an opinion, their motivations are different. Criminals want to remain concealed, so they don't want to associate themselves with hacktivists who are trying to attract attention to themselves. On the other hand, the response to hacktivists, particularly if they engage in obtaining confidential information for publication, they are referred to and should be referred to as criminals and treated as such. But the criminal economy that poses a threat to information security is well developed and I think is pretty much separate from hacktivist activity.
KITTEN: Most hacktivists wage denial-of-service attacks, which is a relatively easy type of attack to prevent, and we talked a little bit about some of the technical concerns earlier in this call. Why has the industry not taking as many steps as it should have in the past to mitigate the risks that are associated with these DDOS attacks?
NOWAK: I would say that the denial-of-service attacks are technically easy to prevent and that we know how to do it, but it involves a significant financial investment to do it effectively, to have the scalable systems that can really survive a large-scale denial-of-service attack, and there's sort of a pile-on effect where effort continues to be invested until an organization's overwhelmed and the public relations coup of having succeeded in a DDOS attack is achieved. I think a lot of organizations are just saying, "Well, where should we invest our money? Should we invest large amounts of money to be scalable enough across our entire Internet presence to survive a denial-of-service attack or are there other risks we're mitigating?" I think a decision is being made that risk mitigation investment is better off done elsewhere.
And also, there are other sorts of hacktivist attacks. If denial of service doesn't work, then hacktivists will turn to something else. My impression is that denial-of-service attacks will continue to happen, but they will not be the only means of hacktivism used, and I think this is another example of organizations not paying too much attention to the technical exposure. What they need to do is they need to improve their response and preparedness in non-technical ways for the hacktivist threat.
KITTEN: That's a nice segue to my next question, which is what steps should companies and others take to defend themselves against some of these hacktivist threats? And it sounds like from the PR perspective, you're pretty firm, but what about teams that they should create or different approaches that they should consider?
NOWAK: I would suggest first of all that the information security function or the risk management function take ownership of this issue, only because everyone assumes it's in their area. And then they should make sure that awareness is built across the organization because, compared to other information security risks, there's a need for new kinds of teams and the new sorts of internal relationships to help address it, both with the corporate legal department and the public relations department to prepare. I think that most organizations would benefit from having a hacktivism working group, just to meet occasionally and discuss the threat and share ideas and get a sense of their vulnerable areas.
I would say the public relations function is probably the best place to say, "Hey, here's where we're sensitive. Here's where we're hearing complaints from the marketplace. These are the things we should be concerned about that people might get upset about." Then the IT department can turn around and say, "Okay, here's the IT presence for those issues and what can we do technically to isolate that so if there's a denial-of-service attack or other sorts of online attack, a minimal number of systems are affected?"
The public relations department might also be aware of grievance sites that are used to criticize the organization, and they can use that to track on an ongoing basis these issues. Then the corporate legal department can start formulating internal policies [for] how things are handled. Do they take action against these grievance sites to try to shut them down, which was the old solution that used to be used, or do they let them continue so they have a way to monitor what the complaints are about the organization and get a sense when things are becoming more active, when the threat might be increasing? That's something that different organizations decide differently, but they should have that discussion in advance because they don't want to be surprised when something is already going on.
I'd also advise organizations to consider having an internal simulation, to perhaps have a facilitator of some sort come in and help them simulate a hacktivist attack and figure out what the organizational responses would be as it stands and help them develop procedures because if it's a public relations battle, as I said, then the response is won, again, through public relations. Organizations should know who's authorized to speak on the issue. There should be a rapid response because when organizations don't respond to such things, that tends to increase the grievance, and people tend to join in, thinking that the organization has no response. So the more quickly they can respond in an organized way to address the grievance, the more likely it is that the hacktivist attack will fizzle out and not become a media loss for the organization.
KITTEN: It sounds like a more proactive approach, but what about after this attack? How should organizations respond after an attack?
NOWAK: They should definitely have a lessons learned sort of meeting to find out what they did well and what they think they could have done better. I think a lot of organizations can improve their public faith and their ability to respond to grievances. What we've seen culturally over the past few years is that the more an organization steps out and is willing to say, "Yeah, we did something wrong; we could have done that better; we screwed up," the more they're respected in the marketplace. The old-style closed-off infrequent press release from headquarters-style of relating to the public tends to turn people off, and activists see that as an ongoing sort of non-responsiveness, and I think that the hacktivist mentality is irritated by that. And it's used by those activists who are willing to organize some sort of attack on a company to rile up supporters for their cause. And by being, as you said, proactive and being responsive to grievances in an ongoing way, they can diffuse some of that tendency and reduce the likelihood that activists can gather the support they need to mount some sort of attack against them. They will turn their attention and grievances elsewhere.