Hacktivism: Are you vulnerable?

Through the years, activism has taken many forms.  Marches, picketing, egg throwing, billboards, and sit-ins have been used to drive home a point, to change the behavior of governments, corporations, or societies.  In developed nations, these activities were historically localized with limited impact on infrastructure, the economy, or whether a corporation continued to operate.  Technology has changed all that.


Today’s activists, through the use of the Internet and other computing technology, have the ability to cause serious or irreparable harm to governments, politicians, executives, or corporations targeted by their agendas.  The joining of computer hacking and activism falls under the single handle of “hacktivism” (a.k.a. hactivism).

Alexandra Whitney Samuel defines hacktivism as “the nonviolent use of illegal or legally ambiguous digital tools in pursuit of political ends. These tools include web site defacements, redirects, denial-of-service attacks, information theft, web site parodies, virtual sit-ins, virtual sabotage, and software development (Source: Hacktivism and the Future of Political Participation, 2004). 

Political hacktivism—although some still believe it was nationally sponsored hacking--was seen in the virtual attack on Estonia in 2007.  More recently, Georgia and Kyrgyzstan experienced attacks against their infrastructure.  In addition to country-level attacks, numerous high-profile organizations and individuals have also experienced hacktivism in the form of Website defacement or the release of sensitive or embarrassing information.  Here are some examples:

And it goes on and on and on…

Why you should care

As security managers, we spend a lot of time protecting the confidentiality of our PII and PHI/ePHI.  We lock down access to protect the integrity of financial information.  This protects us from financially motivated attackers.  But hacktivists have a different reason for stealing information or disrupting your business.  The hacktivist wants to turn public opinion against the target or cripple its ability to operate normally.  Stealing PII and PHI might accomplish this, but there are other ways.

Browsing Wikileaks.org, you can view a wide variety of documents retrieved by unauthorized personnel or provided by disgruntled employees.  These documents typically contain information a business or government would rather keep confidential.  Once the documents are posted, once they hit the Internet, there is no pulling them back.  Even information taken out of context and subjected to spin will float around the Net for years as the target entity tries desperately to deny its authenticity.

Blackmail and extortion are other methods sometimes used when a hacktivist obtains sensitive information about an organization’s activities, future plans, etc.  Instead of asking for cash, the hacktivist might use the information as leverage to block one or more planned objectives (The Electronic Intrusion Threat to National Security and Emergency Preparedness (NS/EP) Internet Communications, 2000, p. 37).

All these issues add up to a need to protect any information, whether controlled by government regulation or not, which might embarrass or cause operational interruptions if in the wrong hands.

The final word

So even if your organization has taken the position not to store sensitive customer information, and even if your employee data is locked behind impenetrable layered controls, your business might still be at risk.  Do your executives document strategy meetings and store the information on their laptops or company servers?  Do managers communicate via email about how they feel about union activities?  Is your company developing a product or service which might be socially explosive if not rolled out in a controlled manner?  Does your organization prefer not to err on the side of transparency in its dealings with the public, a transparency it can point to when the spin doctors accuse it of secret and unethical activities?

Each organization is unique in the way it will answer these questions, but the general solution will be similar across all protected networks. The same controls—administrative, physical, and technical--put in place to comply with GLBA, SOX, HIPAA, or FACTA should be expanded to include potentially damaging information as well as public-facing systems (e.g., Web sites).  The process starts with understanding what information taken alone, or when combined with other pieces of data, can be used to further the agendas of those opposed to our business or political outcomes.

Copyright © 2009 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.