Several years ago I participated in an unclassified cyber wargame that looked at a variety of scenarios and planned out responses to those scenarios. Sitting around the table were experts of all kinds; government, industry, security consultants, business professionals, military, and law enforcement. During this wargame, a scenario was presented to the group what the reaction should be if a large financial institution had $10 million dollars stolen in a cyber attack.
The military and law enforcement guys came out swinging. They were immediately ready to do all the forensics possible on the exploited systems and undertake a plan to track the money and get it back, because they had decided the way ahead was for them to kick the shit out of some hackers and nail those dudes to the maximum extent the law allowed. They came up with some remarkable ideas, and even organized a battle strategy for cyber counter-attack. To the extent the game would allow, they had done a good job with the forensics and had a good idea how they were going to get the money back.
But one of the individuals in my group was actually an executive of a major US financial institution, and he ended up recommending the prevailing course of action. He went over the numbers and explained in great detail that the company was not going to do anything – indeed they were going to act like the hack never happened and were not, under any circumstances, going to draw attention to the hack or hackers. Based on his analysis of what the projected costs would be to go public with news of a major security breach to a major financial institution, $10 million was the cost of doing business, and our group ultimately decided the best action for business was to eat the loss. You can imagine how the law enforcement and military folks initially reacted to that solution, but that is what war games with a variety of professionals are for.
These things have been on my mind as I read this article in PC magazine. This decade is off to an interesting start with loosely organized global cyber vigilantes like the group “Anonymous” operating in the public shadow zones of the internet. For those who don’t know, “Anonymous” was the organization behind which “Operation Payback” that went after US companies that dropped support for Wikileaks, and reportedly includes members of the “/b/” bulletin board 4chan.org.
On Friday Aaron Barr, CEO of HBGary Federal, was quoted in the Financial Times as having identified the founding leaders of Anonymous, which has claimed responsibility for recent distributed denial of service (DDoS) attacks on companies that had severed ties with WikiLeaks. Anonymous was also allegedly responsible for shutting down pro-government Web sites in Egypt and Tunisia. Forbes said Barr was planning to sell the information to the FBI.
On Sunday evening at 6:30pm Eastern, the hackers appeared to take over Barr’s Twitter account and tweeted: “IT BEGINS. THE ANONYMOUS HAND SWINGS FOR A LULZY B****SLAP. #anonymous #takeover #hbgary.”
Soon enough, Barr’s Twitter page was filled racial and sexual slurs and had published Barr’s mobile phone and Social Security numbers. Furthermore, according to reports, HBGary.com was temporarily replaced with a message: “Let us teach you a lesson you’ll never forget: don’t mess with Anonymous.” This letter has since been replaced by a holding page.
DailyKos also reported that Anonymous deleted the firm’s backups and posted over 60,000 company e-mails on Pirate Bay.
Unlike the DDoS attacks for which Anonymous is usually known, the group said via Barr’s Twitter account that it performed the hack by duping people to gain access into HBGary’s system, a hacker technique known as social engineering.
For background on the social engineering methods used by Anonymous, read this rather detailed account at Tech Herald. Anonymous has a press release posted at the DailyKos. Details of the hack are still coming out, but what we do know is that Anonymous has released to the public a 4.71 GB Torrent file of information on HBGary and HBGary Federal. For those unaware, BGary Federal delivers HBGary’s malware analysis and incident response products as well as expert classified services to the Department of Defense, Intelligence Community and other U.S. government agencies to support their unique cybersecurity challenges and requirements.
Or at least they did at one point, because with this incident the reputation of the company has been completely destroyed.
The hack by Anonymous on HBGary Federal exposed Social Security numbers, publicized private e-mails, resulted in the theft of HBGary source code, included the deletion of company data, replaced the phone system, and exploited the social media accounts of several employees across several social media mediums.
I’m going to try to objectively describe what these events represent, and tell me if I’m reading it wrong. I think what we saw was a corporation publicly threatening a non-state political organization in cyberspace for purposes of prestige towards the reputation of the corporation, and the non-state political organization retaliated via cyber warfare and may have inflected a mortal wound to the corporation.
There is a lot to learn from this incident. In a world of anonymous identities in cyberspace, public exposure of identity constitutes an existential threat. It is also noteworthy that non-state political organizations in cyberspace that operate publicly like Anonymous intentionally apply no limitations on their attacks, because achieving the most damage to their target is always the objective. Reputation is a major factor of non-state organizations that operate publicly in cyberspace, indeed many have noticed that Anonymous has been involved in Tunisia and Egypt in part to reshape the reputation of that organization. Understanding anonymous non-state organizations that operate publicly in cyberspace includes a full understanding regarding the importance of reputation and identity. Aaron Barr has learned this lesson the hard way.
It is important to note that there are no equivalents to laws of war or the Geneva Conventions in cyber warfare, meaning if an action is undertaken by a non-state actor and maximum damage can always be expected to be the objective as a way of maximizing the reputation impact of an action, the consequences of always attempting to maximize damage includes higher risks for collateral damage – and indeed that collateral damage may also represent an intentional objective of an organization looking to make the maximum possible reputation impact.
Maximum damage being the objective in cyber warfare is not trivial, because what happens if collateral damage in cyber warfare somehow actually kills people? When the intent is always to do as much damage as possible to reap the reputation rewards that come from successful public attacks, if someone should die from the collateral damage of such a cyber attack the “intent” element makes it murder. It is something to think about, because eventually a cyber attack will kill people – Murphy’s Law will insure it.
Anonymous is currently the only major political non-state organization actively engaged in cyber warfare activities that is attempting to operate publicly. In that way we can describe them as pioneers of such organizations, because while they are certainly unique today – they also represent a first generation organization of its type. It will be very interesting to see what the second generation organizations that are better organized and better funded look like when operating publicly in the shadow zone of cyber space. Given the public attention of Anonymous to date, we may not wait long before finding out.