The last two days, I touched briefly on the efforts governments have made to crack down on a perceived “scourge” of hackers. A strong security infrastructure is important to establish in a democratic society, as is freedom of information. But neither of these things mean anything if those in power do not fully understand all the actors in play and the differences between groups of hackers.
For most people, the word “hacker” holds negative connotations. Obviously, the term has been on the lips of many this week, with the whole “British tabloid writers are scumbags” thing. And today news broke that the Pentagon was hacked and 24,000 confidential files were stolen.
I hope that my previous posts on the subject have not been misconstrued as support for internet hacking, because I have made enough distinctions and clarifications to make my position clear. But the big question we need to ask ourselves is: how do we react to such attacks? Do we immediately dismiss them as the rats of the internet?
One important thing most people do not seem to understand about hackers is that there are different groups with different agendas. Anonymous has always existed in one form or another, but their resolve was strengthened after the group more or less rallied around Wikileaks last year. Anonymous’ targets are governments, big businesses, and the like. They truly believe in absolute freedom and total access to information. Meanwhile, LulzSec hacked for more mischievous purposes, targeting Sony, PBS, and porn website pron.com “for the lulz.”
One security strategist for Coalfire Systems suggested that “hackers with altruistic movies or who target authority figures often lose that focus as they continue.” Had LulzSec not disbanded after fifty days of mischief, they could very well have been “corrupted with financial gain.”
So it utterly confuses me that the United States government sees hacking as an act of war. Here’s the argument as best as I can understand it: acts of terrorism, like the 9/11 attacks, are instigated to make the target look weaker and more vulnerable. The same is supposedly true of cyberattacks, so one could make the argument that they deserve the same treatment.
Obviously, not all hacks are given the same treatment, but this is what one anonymous military official told The Wall Street Journal in May:
“If you shut down our power grid, maybe we will put a missile down one of your smokestacks.”
Anyone who wants to know what the United States’ official position on cyberattacking is should read a White House document entitled “International Strategy for Cyberspace.” Here’s a choice paragraph that should set off alarm bells right away:
When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country. All states possess an inherent right to self-defense, and we recognize that certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners. We reserve the right to use all necessary means—diplomatic, informational, military, and economic—as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests.
Wait, can I see that first sentence again?
When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country.
This represents the convergence of security and freedom. The actions we take regarding internet hackers define our position in the age of information. Too much security could lead to a Big Brother-type society that many would argue we are currently on the path of, while too much freedom for hackers could lead to cyberanarchy where no one’s information is safe and random targets are picked out and crushed by the shadows of the web.
The United States’ current position on hacking appears to lean more towards stronger security measures, but it feels like the government is behind the curve when it comes to preparing for cyberattacks. The following sentence from the aforementioned White House report caught my attention:
For a decade, the United States has been fostering a culture of cybersecurity and an effective apparatus for risk mitigation and incident response.
Contrast that with this sentence from a Reuters special report last month on government effectiveness in dealing with cyberattacks:
Notwithstanding the military’s efforts, however, the overall gap appears to be widening, as adversaries and criminals move faster than government and corporations, and technologies such as mobile applications for smart phones proliferate more rapidly than policymakers can respond, officials and analysts said.
The entire Reuters piece is worth a read, because it essentially lays out how we are still vulnerable to cyberattacks even though every president since Clinton has pledged to make our virtual infrastructure a top national security priority. If you think about it, the fact that a bunch of computer-savvy teenagers can crack government websites is somewhat mind-boggling.
This is why I call hacking “the most dangerous dissent.” It has nothing to do with the saying that “dissent is the highest form of patriotism,” mainly because I find it hard to ascribe the label “patriot” to an internet hacker. Dissent means taking opposition to the ruling opinions or policies, and certainly hackers fall under that umbrella. But their methods of airing dissent are certainly dangerous and, in many cases, illegal.
But if you think a group of computer hackers is completely on par with a terrorist organization, you’re either out-of-touch or just insane. It is true that some hackers involved with the infamous “Operation AntiSec” have said they view the mission as a “war” and their targets include the government, but the war is not truly against the government, it is against censorship.
Here’s a quote from a top government cybersecurity expert on what our ultimate goals for the internet are:
We wish to see a safer and peaceful internet for every one, not some bunch of kids threatening the web for lulz or in the name of Anti-Govt agenda.
Oh, wait. I pulled this trick yesterday. The quote is actually from the hacker group WebNinjas. See, WebNinjas decided LulzSec wasn’t really focused on the same goals that the rest of Anonymous was, and so launched a campaign to expose the private information of LulzSec members to give them a taste of their own medicine.
So how can the government put WebNinjas and LulzSec in the same category when they were essentially at war with each other? Again, these distinctions are important. The idea that all hackers are cybervillains or cyberterrorists has been a popular school of thought for years. In 2002, Dissent Magazine writer Helen Nissenbaum explained why these labels are neither accurate nor fair.
[O]ld-fashioned hackers-who worship the pure hack, resent centralized control of computer power, and believe computing to be a source of public good-have not disappeared. They have receded into the background, relegated to the margins of a revised category that now is filled by vandals and criminals. The question that remains is whether we are well-served by this revision. I believe we are not, but not because I condone the actions of those who apply programming skills to stealing information or money, to damaging and vandalizing systems, or to placing critical systems at risk of malfunction. The problem is that we are robbed of a concept that once suggested an alternative to the new, imposed order of cyberspace.
She believes that hacking with certain motivations can be classified as legitimate protest.
Does this mean hackers should be protected? Not necessarily. But it doesn’t mean they should be labeled as terrorists and warmongers. The goals of Anonymous and al-Qaeda could not be farther apart. Actual terrorist groups wish to cripple America by destroying our infrastructure and our resolve. Some hackers may have these motivations, but the vast majority of them have slightly less ignoble reasons for cracking government websites.
And for that, they should not be applauded nor condemned, but at least respected and understood enough by those in power so we can have leaders making informed decisions before declaring full-fledged cyberwar.