Several years ago I participated in an unclassified cyber wargame that looked at a variety of scenarios and planned out responses to those scenarios. Sitting around the table were experts of all kinds; government, industry, security consultants, business professionals, military, and law enforcement. During this wargame, a scenario was presented to the group what the reaction should be if a large financial institution had $10 million dollars stolen in a cyber attack.

The military and law enforcement guys came out swinging. They were immediately ready to do all the forensics possible on the exploited systems and undertake a plan to track the money and get it back, because they had decided the way ahead was for them to kick the shit out of some hackers and nail those dudes to the maximum extent the law allowed. They came up with some remarkable ideas, and even organized a battle strategy for cyber counter-attack. To the extent the game would allow, they had done a good job with the forensics and had a good idea how they were going to get the money back.

But one of the individuals in my group was actually an executive of a major US financial institution, and he ended up recommending the prevailing course of action. He went over the numbers and explained in great detail that the company was not going to do anything – indeed they were going to act like the hack never happened and were not, under any circumstances, going to draw attention to the hack or hackers. Based on his analysis of what the projected costs would be to go public with news of a major security breach to a major financial institution, $10 million was the cost of doing business, and our group ultimately decided the best action for business was to eat the loss. You can imagine how the law enforcement and military folks initially reacted to that solution, but that is what war games with a variety of professionals are for.

These things have been on my mind as I read this article in PC magazine. This decade is off to an interesting start with loosely organized global cyber vigilantes like the group “Anonymous” operating in the public shadow zones of the internet. For those who don’t know, “Anonymous” was the organization behind which “Operation Payback” that went after US companies that dropped support for Wikileaks, and reportedly includes members of the “/b/” bulletin board

On Friday Aaron Barr, CEO of HBGary Federal, was quoted in the Financial Times as having identified the founding leaders of Anonymous, which has claimed responsibility for recent distributed denial of service (DDoS) attacks on companies that had severed ties with WikiLeaks. Anonymous was also allegedly responsible for shutting down pro-government Web sites in Egypt and Tunisia. Forbes said Barr was planning to sell the information to the FBI.

On Sunday evening at 6:30pm Eastern, the hackers appeared to take over Barr’s Twitter account and tweeted: “IT BEGINS. THE ANONYMOUS HAND SWINGS FOR A LULZY B****SLAP. #anonymous #takeover #hbgary.”

Soon enough, Barr’s Twitter page was filled racial and sexual slurs and had published Barr’s mobile phone and Social Security numbers. Furthermore, according to reports, was temporarily replaced with a message: “Let us teach you a lesson you’ll never forget: don’t mess with Anonymous.” This letter has since been replaced by a holding page.

DailyKos also reported that Anonymous deleted the firm’s backups and posted over 60,000 company e-mails on Pirate Bay.

Unlike the DDoS attacks for which Anonymous is usually known, the group said via Barr’s Twitter account that it performed the hack by duping people to gain access into HBGary’s system, a hacker technique known as social engineering.

For background on the social engineering methods used by Anonymous, read this rather detailed account at Tech Herald. Anonymous has a press release posted at the DailyKos. Details of the hack are still coming out, but what we do know is that Anonymous has released to the public a 4.71 GB Torrent file of information on HBGary and HBGary Federal. For those unaware, BGary Federal delivers HBGary’s malware analysis and incident response products as well as expert classified services to the Department of Defense, Intelligence Community and other U.S. government agencies to support their unique cybersecurity challenges and requirements.

Or at least they did at one point, because with this incident the reputation of the company has been completely destroyed.

The hack by Anonymous on HBGary Federal exposed Social Security numbers, publicized private e-mails, resulted in the theft of HBGary source code, included the deletion of company data, replaced the phone system, and exploited the social media accounts of several employees across several social media mediums.

I’m going to try to objectively describe what these events represent, and tell me if I’m reading it wrong. I think what we saw was a corporation publicly threatening a non-state political organization in cyberspace for purposes of prestige towards the reputation of the corporation, and the non-state political organization retaliated via cyber warfare and may have inflected a mortal wound to the corporation.

There is a lot to learn from this incident. In a world of anonymous identities in cyberspace, public exposure of identity constitutes an existential threat. It is also noteworthy that non-state political organizations in cyberspace that operate publicly like Anonymous intentionally apply no limitations on their attacks, because achieving the most damage to their target is always the objective. Reputation is a major factor of non-state organizations that operate publicly in cyberspace, indeed many have noticed that Anonymous has been involved in Tunisia and Egypt in part to reshape the reputation of that organization. Understanding anonymous non-state organizations that operate publicly in cyberspace includes a full understanding regarding the importance of reputation and identity. Aaron Barr has learned this lesson the hard way.

It is important to note that there are no equivalents to laws of war or the Geneva Conventions in cyber warfare, meaning if an action is undertaken by a non-state actor and maximum damage can always be expected to be the objective as a way of maximizing the reputation impact of an action, the consequences of always attempting to maximize damage includes higher risks for collateral damage – and indeed that collateral damage may also represent an intentional objective of an organization looking to make the maximum possible reputation impact.

Maximum damage being the objective in cyber warfare is not trivial, because what happens if collateral damage in cyber warfare somehow actually kills people? When the intent is always to do as much damage as possible to reap the reputation rewards that come from successful public attacks, if someone should die from the collateral damage of such a cyber attack the “intent” element makes it murder. It is something to think about, because eventually a cyber attack will kill people – Murphy’s Law will insure it.

Anonymous is currently the only major political non-state organization actively engaged in cyber warfare activities that is attempting to operate publicly. In that way we can describe them as pioneers of such organizations, because while they are certainly unique today – they also represent a first generation organization of its type. It will be very interesting to see what the second generation organizations that are better organized and better funded look like when operating publicly in the shadow zone of cyber space. Given the public attention of Anonymous to date, we may not wait long before finding out.

Posted by galrahn in Cyber, Training & Education

You can leave a response, or trackback from your own site.

  • Bucherm

    Anonymous are a bunch of script kiddies who, when confronted with the RL consequences of their actions rear back like the undead being shown a holy symbol.

    Ars Technica had a good article on this:

    Dare I say it, I lol’ed at it. It’s interesting from a “cyber war” perspective, but if the most deadly nonstate actors out there in cyberspace wring their hands when “two *REAL* guns!” are pointed at them as the FBI comes through the door…I am not particularly too worried about them.

  • YN2(SW) H. Lucien Gauthier III

    Before I read any further, I have to know if galrahn can Tri-force… 😉

    Beware of the content, it is not for the squimish, but check out the Encyclopedia Dramatica, which is more-or-less the Rosseta Stone for all things 4chan.

    I think too much emphasis is being put on m00t’s website. That is where in fact the term anonymous came from. However, the reason for that is secondary, as the board allows (indeed demands) that you’re anon when you post. Just as much as anyone has ‘organized’ on 4chan, they’ve done it in IRC.

    We’re running into the same problem here as we did with calling everyone shooting at US and Coalition forces in Afghanistan, Taliban. They’re not all Taliban, nor is everyone of the same ilk who calls themselves Anonymous. The 80 20 pricipal applies to anything organized on bulletin boards. With the caviate that LOIC allows the otherwise ‘to-lazy-to-do-anything-other-than-run-ones-mouth’ to spend 5 minutes downloading something, and then plugging in the IP and commencing a DoS attack at a coordinated time – tell a late-teen kid they have the ability to change the world with a simple download and enough time befor Mom serves dinner, and they will do it… Lord knows I longed for some sort of way to affect affairs at a National level (I’m not saying I wished I could hack as well as kids can today, rather I longed for a voice loud enough to be heard when I was an agnsty teen).

    Most of them are not hackz0rs, they just want to be cool and have a voice.

  • Brettzky66

    Here’s my concern: people, either acting as individuals or loosely stitched confederations, want to be able to take these actions as “non-state” actors, but still expect the Constitutional protections of US citizens (or of their home countries).

    If any person can hack any system, then say they are acting within the global commons, then the idea of sovereignty writ large is either diminished or moot.

    Further, if these same individual choose instead to target only corporate interests, what is to stop them from taking any and all actions (including using “real guns”) to protect their interests (whether corporate, employee, etc.)?

  • Victor

    This is not “cyber warfare.” Stuxnet is “cyber warfare.” This is just ineptitude and hubris on the part of HBGary.

  • Bucherm,

    What happened to HBGary is not the stuff of script kiddies. Things are clearly more complicated than that. What I think should be examined more closely is whether the level of skill within the organization has improved as the organization has gained popularity, because what happeend to HBGary demonstrated a great deal more skill than what Anonymous has done in the past.

    Clearly there are low level folks who are working with the organization as a form of online activism and political support, and because many of these folks do not have the skills to protect their identity, the FBI is beating down their door.

    Ultimately the courts will decide whether DDOS is a form of online “sit-in” or a legitimate attack. Given how several governments around the world consider access control on the internet an important weapon (bandwidth is a weapon), I don’t think the “sit-in” argument is going to fly in court.

  • Lucien,

    Allow me to suggest the “Low Orbit Ion Cannon” (LOIC) is more than just an easy entry point for folks willingly supporting a DDOS attack, and more importantly represents a method for active political participation with the Anonymous organization. In many ways the distribution of the LOIC represents a recruitment tool for support, a very clever approach to finding supporters of hacktivism. For a loosely organized group where leadership is horizontal instead of vertical, Anonymous is quite sophisticated and I find that folks sound like fools when they dismiss the organization as script kiddies. Your 80 – 20 analogy applied.

    IRC has long been the communication tool of choice among those who reside in the Internets shadow zone – that and news groups. Things have not changed since I was an IRCop in the very early 1990s.

  • Matt Yankee

    The cost benefit analysis regarding the 10 Mil. sounds very similar to what businesses were doing about frivolous lawsuits and these lawsuits grew to such ridiculous proportions that finally businesses and insurance companies started to fight them to stem future suits. Seems a bit of the same thing is going on with the Somali Pirates. These decisions do not take into account future incidents and the propensity for these things to snowball quickly into very large problems. Better to nip them in the butt early if possible…my two cents.

  • Matt Yankee,

    That is an excellent point, but like everything else the bottom line at any point in time is the most important factor. Somali piracy costs between $7-14 billion in what is a multi-trillion dollar industry. $7-14 billion is an accountants rounding error in the final tally.

    The same is true of a large financial institution. $10 million in losses by cyber theft privately is a $10 million loss. If the news of the theft convinces even one major stakeholder in the company to leave, the loss could quickly turn into hundreds of millions.

    Whether it is Somali piracy or cyber theft, it is still about risk management and not solving fundamental problems. I don’t see that changing until the risks get high enough to demand a different action be taken.

  • Mike M.

    I can see a business choosing to eat the loss, but when individuals get targeted, it becomes a very different matter. Especially when you consider collateral damage.

    That’s the point when pressure is put on governments to act. Governments go to great lengths to maintain a monopoly on the use of force, and cyber-attacks are just as much a part of the spectrum of force as the rods and the axe.

  • M. Ittleschmerz

    “it is still about risk management and not solving fundamental problems” and that highlights one of our governmental and generational problems. Government is not in the business or risk management – or even mitigation – but rather “risk elimination”.

    And government, including the Navy, often wants to eliminate those risks WITHOUT addressing the fundamental problems.

    Which can’t be done. But, we expend enormous resources on trying anyway.

  • UltimaRatioReg

    A timely piece. And well-stated. Coincidentally, I was talking to one of my hacker friends last night, and we discussed “anonymous” for a time. His belief was that the organization is going to be the test-bed for other, more ruthless and less constrained players. With some of the functional capabilities from something like STUXNET in their hands, he had serious concerns.

    Galrahn, we have discussed a number of times the business response to loss of what we consider large sums to exploits. As far back as 2003, when I was on the EPT for LIVEWIRE, similar sentiments were expressed, with a mature business calculation to back up the assertions.

    Some interesting observations in a multi-national partnership “global” economy:
    A network exploit or attack from a business rival, if skillfully executed, will be indistinguishable from a skillful exploit/attack from a politically-driven non-state actor, a religiously-driven non-state actor, foreign government, state-controlled industry of a foreign government, trans-national criminal organization, or any other entity that possesses the capital to buy that skill set. Attribution remains the brass ring, and is, if anything, harder than ever against a competent adversary.

    M Ittleshmertz, don’t swallow your dentures, but I agree with you on the Navy’s (and DoD’s) mistake in trying to eliminate instead of mitigate risk. Alternate means of C3 and of data transfer need to be explored, as do philosophies of command and control that hearken back in some cases to the Cold War training that was once second-nature. Training for loss of communications, or worse, loss of trust in communications, issuing clearer and more concise mission-type orders, refraining from micromanaging our subordinate commands and commanders, will go a considerable way toward mitigating some of the worst of the risk faced by our armed forces in the case of network disruption. (But clearly not ALL risk, as hidden dependence on networks for myriad other tasks may yield some unpleasant surprises.)

    The war game just concluded (Expeditionary Warrior 2011) had several working cells come to that conclusion in a scenario in which an adversary can even briefly obtain near-peer capabilities in the cyber and space domains.

    Finally, as we all know, a DOS or DDOS attack can be annoying and very disruptive, particularly if executed at a critical juncture. But that exploit is relatively low on the list of really bad stuff a technically capable adversary can do with knowledge of your network and some important information about your entity and its critical functions.

  • YN2(SW) H. Lucien Gauthier III

    “His belief was that the organization is going to be the test-bed for other, more ruthless and less constrained players”

    URR hits the nail on the head. This is the perfect cover through which new TTPs can be tested and developed for cyber efforts. Using false flag techniques is simple, when there is no flag being waved in the first place. Just the same, seeing them get the 4chan parlance down is incredibly impressive if they are in fact not who they say they are.

    What’s getting me the most, is that THIS is the nature of warfare in the 21st Century, THIS is how we’re going to have to fight.

    What gets me though, is that these attacks are only sophisticated ONLINE, they lose their aura of sophistication when the human element is added in. The guy at rootkit who divulged the password was duped into giving it password out. Wikileaks had their windfall because of a disgruntled PFC, all classic examples of how information has always ended up divulged – nothing new.

    I read through much of the discussion of how some consider DDOS a modern form of sit-in. The ambiguity of how it ‘could be, but not really’ is the strength of anon – the most striking part of the conversation was concerning how anonymity was the delineation between terrorism and protest (to use the terms from the original). Reducing this ambiguity is the best way to defeat them. Anyone ready to start seeing typing being replaced with cyber-ethics in high school?

  • Sean Quigley

    K folks I’ll shoot this out there it’s a WAG but lets look at who is benifiting from these “NON-STATE ORGANIZATIONS” Where is there funding coming from and WHO in the way of a nation state would seen to benifit the most from these recent hacks on the US and european countries as well as major buissness and banks in the US and the EU…..hummm as I recall we funded the Mojahadine in A-stan when Russia was there and that was one way to speed along the collapse of the Soviet Union. Now we have a former KGB officer who served in A-stan in charge of the country and a fella in the way of Julian Assnage who at leat Wikipedia knows little to none about his actual father perhaps he was RUSSIAN???? Also what does CHINA gain in all this??? It seems to me having not read the all the Wiki leaks that both countries seem to have come out relativly unscathed by them and you would think that a person like Assange and his cronies would be hammering Russia and China if nothing else than to cast light on the represive regimes…yet here we sit being made fools of and they seem to be just skating by……Well like I said WAG but still something to think about.

  • “A timely piece. And well-stated. Coincidentally, I was talking to one of my hacker friends last night, and we discussed “anonymous” for a time. His belief was that the organization is going to be the test-bed for other, more ruthless and less constrained players. With some of the functional capabilities from something like STUXNET in their hands, he had serious concerns.”

    URR – Your friend is right to be concerned, Anonymous is generation one stuff. There are so many questions – here are a few off the top of my head:

    1) Measured in time, what is a generational cycle for these types of organizations? Do we have months or years to prepare for the type of coordinated and systematic attacks a generation two organized capability will represent?

    2) Just as piracy thrives in plain sight off the ransom payments of maritime insurance companies, is it possible these types of organizations can exist publicly in the shadow zones of cyberspace and thrive off holding data hostage?

  • UltimaRatioReg

    Yeah, great questions.

    Regarding question #1, some have posited that they have a strategy in place waiting for technological capabilities to accommodate, and that “generational” advances might be measured in months, even weeks. That would be one tough task to stay ahead of.

    As for question #2, methinks those “shadow organizations”: are indeed self-sustaining/self-advancing. Which makes the micro problems contributors to the macro.

  • Roland Dobbins

    There is no such thing as ‘cyber warfare’, and non-ironic use of the appellation ‘cyber-‘ is generally considered to be inversely proportional to actual security clue. I realize that the pernicious ‘cyber-‘ has permeated the military, DoD, and national security community, but if you can avoid it, folks who are serious in this space will take you more seriously.

    ‘Cyber-‘isms aside, you raise a number of good points. The bottom line is that this is espionage involving non-state actors, and the ostrich scenario for the $10MUSD theft is, unfortunately, the least worst option for many organizations, at present.

  • UltimaRatioReg

    Mr. Dobbins,

    I do believe Galrahn deliberately used terminology that is familiar to the normal readers here. His technical knowledge is nonpareil, and he could easily have lost most of us in a sentence.

    To your point on “cyber warfare”. Scream it loud, please. Very loud. DoD and other Federal Government organizations, including much of our National Security Community, all have what would seem to be a rather unrealistic and ill-conceived understanding of what they officially call the “cyber domain”. Terms and phrases like “offensive cyber” and “cyber dominance” are so much jabberwocky, especially when you ask them to define it, and if you are a real jerk, how they’d do it.

    I will say that the “ostrich scenario” you describe isn’t quite that. The entity I spoke of above already had calculated that they would lose five or six times the amount of money ($10m was our figure, too) just in customer confidence in the next 12 months. Telling them to lose the bigger number to chase the smaller one would be a tough sell. Perhaps impossible.

  • Mr. Dobbins criticism is very fair, and accurate IMO. I even remarked how shallow it sounded on my own blog when linking to this piece, because I recognized the ambiguous use of ‘cyber’ when I wrote it but published anyway.

    I need such criticism if I’m going to find the right balance in these types of discussions that keep terminology aligned with audience.

  • Eric

    If collateral damage becomes their intent, do we not have to consider them terrorists and respond to them as we would terrorists?

  • YN2(SW) H. Lucien Gauthier III

    “There is no such thing as ‘cyber warfare’”.

    you’re right, it is not warfare in any form. It is competition, as best I can define it. I’m coming to the opinion that any effort outside of intentionally killing the members of another force is NOT warfare and should not be viewed as such. Warfare is predicated upon the intent to kill – the ultimate form of competition.

    That said, it is still of huge importance to the State to engage in this competition and view it as part of the same spectrum that has warfare at it’s extreme end.

    What the Anons have done is a cyber campaign predicated off of a information campaign started by Wikileaks. The deliniation I view between cyber and information, is that information is the tactics of using the content of the internet (information, which can also apply to all other forms of media) to gain advantage or win on their terms. Where as, cyber is the tactics of affecting the information’s infrastrucure (hardware and software).

    Again, true that it is not a form of actual warfare, but it is still apart of the same family – competition – and with the same intention of winning on ones own terms.

  • Matt Yankee


    …”like everything else the bottom line at any point in time is the most important factor. Somali piracy costs between $7-14 billion in what is a multi-trillion dollar industry. $7-14 billion is an accountants rounding error in the final tally.”

    I totally understand your “bottom line” point as a Finance major. As a small business man I understand, and my college professor stated, that these types of descisions are not necessarily the smart move over the long run. For instance public companies make descions to NOT invest in properties because the investment will not give them the same level of return on their capital as their business, so it drags the ROI (return on investment) down overall and reflects negatively on their stock value. The result is a company that may have billions in the bank will not own their own facilities (they pass up the added value just because it isn’t up to their par…still added value). This is where I come in (I am no public corp.) and get them to sign a lease for 10 yrs that pays for the whole project and then some. For the most part, my bet on a Blue Chip corporation is a safer bet over the long run than even their own blue chip business (I can lease the place to another business even if they do go down…but they don’t…by far the majority don’t, and even if they all did, ALL other businesses would be going down anyways so my risk is that our economy doesn’t totally fail which is as good a risk as exists).

    It is in the country’s interest to be forward thinking and to make decisions that will benefit us over the long-term. Back to the 10 Mil. example…Why couldn’t the govt. have gone after the culprit without it making the news. Maybe that is not possible now but I would think we could set up a way to do that where the facts were kept secret…since it could be considered in the interests of national security (same risk of the cover up getting exposed also I would think). Waiting for something bad to happen when the risk of something very bad will likely happen is a poor, short-sighted decision in my (ever so broad:) mind.

  • Not Anonymous

    The part that I worry about isn’t that they make it hard for state forces to crack down on them; rather, I worry that eventually, anyone on the “outside” (which can even include anybody who *thinks* they’re actually on the “inside”–paranoid yet?) rapidly loses the ability to make decisions, based solely upon trustworthy knowledge, about a subject.

    My fear is that, in the longer run, this ability to generate massive real-world effects with nigh-complete anonymity, coupled with polarized worldviews and the willingness to do “maximum damage” with nothing really resembling a generally-accepted body of ethics, will claim as collateral damage the “trust society” upon which not just modern commerce, but a free civilization itself is built upon. After all, if you cannot reasonably determine the truth regarding virtually any matter, you cannot operate in the type of society that we are used to.

    Sadly enough, one way to cut the Gordian Knot is to regress as a society–fall back to personal connections, known and trusted sources, while disassociating from “strangers”. This, I fear, could have catastrophic impacts–taken to an extreme, you end up with essentially a tribal society. You accept something as true because a handful of trusted nodes (trusted why?) gave the data to you… which gives those nodes a tremendous power over you. Compare, for a moment, the quality of life, technological progress, and freedom as individuals that we see in tribal societies today, against that of a free market/trust society.

    I don’t mean to post an essay in comments, so I’ll wrap this up. I realize it may be somewhat of an abstract concern compared to the immediate impacts of specific acts, but I would posit that our fundamental freedoms may be in jeopardy, here… not from Anonymous, but from our inability to determine the truth in an increasingly-complex environment.

  • William C.

    Hopefully Aaron Barr at least gave the FBI that information, yet he should have done that before baiting this group and he should have ensured he had the best security possible. He knew the crowd he was dealing with and should have expected reprisal. His lack of preparation certainly seems foolish.

    Yet as much as I enjoy hearing stories of the FBI breaking down these hacker’s doors and grabbing their stuff (they deserve it) this could be a preview for all too dangerous threats in the future.

    In my opinion organizations like this are led by a core of fanatical devotees supplemented by a large number of “useful idiots” who both aid in attacks and can be sacrificed as human shields to protect the identities of the organizers. Yet generally this so called Anonymous is little more than a bunch of rather anti-social youth with too much time on their hands. Their efforts seem to be focused at preserving their “cred”, defending lowlifes like Assange (who put soldiers at risk) under the guise of freedom of speech, and more random targets determined by the organizers who have proven rather adept at drumming up the crowd. I’ll try not to be too political here but they seem awfully motivated by the far-left who view people like Assange as heroes.

    Yet generally Anonymous is more of a nuisance than anything else, although they should be picked apart for stepping over the line. Yet a more dangerous threat would be a similar non-state group with a clear agenda against the United States, with access to the same methods and a similar structure of supporters. Another serious threat are state-sponsored efforts by any number of countries.

    Certainly much of the USG has an excellent level of online security. Yet a huge number of government contractors out there provide vital services, have connections to the United States government and military, and have varying degrees of security, making them a more tempting target.

    Consider awhile back a significant amount of data was electronically stolen from Lockheed Martin’s F-35 program. Besides the benefits this would provide a nation like the PRC (for example), non-state groups could select similar targets with the intent of selling the data for funds to further their own causes. Even a group like Anonymous could attempt such an effort fueled by radical-left idealism against “evil” defense contractors. Unwittingly they would be the pawn of somebody else.

    We must simply continue to improve security through a wide variety of methods. Yet the FBI and other government organizations must develop the capability to track down the leaders of such organizations. If arrest is out of the picture they must have the capability to devastate their efforts through similar electronic attacks. We gave the world the internet and while it has countless positive uses, there are many negative ones as well. When those threaten the United States we must be able to deal with them.

    Sorry for the speech but I had a lot to say.