Crossing the hacktivism line
Recently, I was a guest on the CNBC program, Squawk on the Street. The discussion centered on the possible outcome of a limited strike by the US on Syria, and I had the opportunity to provide my opinion on the retaliatory cyber implications for US interests. During the program, I disagreed strongly with the position taken by McAfee Worldwide CTO, Mike Fey: that the Syrian Electronic Army is no more than a hacktivist group. In my opinion, this is a dangerous assertion based on industry group-think and marketing rhetoric.
Two books that I have co-authored have examined attack sophistication in terms of categorizing a threat actor. Ultimately, I am not concerned with which organization or entity carries out an attack. I am, however, concerned with identifying and stopping malicious activity. For example, were a nation-state to engage in industrial espionage against a defense industrial-based contracting firm or critical infrastructure, such as a power grid, this typically would be classified as advanced persistent threat (APT).
At NSS, we would more accurately describe it as a targeted persistent attack, since the APT refers to a specific nation-state. Any individual or group with the right connections and with sufficient funding (from, for example, a nation-state or a cyber crime organization) will have access to the same sophisticated, weaponized exploitation kits that are used by government organizations. This has made it much more difficult to accurately categorize threat actors.
With hacktivism, however, it is somewhat easier to classify the threat actor. A hacktivist message or a hacktivist’s defacement of a website will offer clues regarding attacker identity, and, since the purpose of activism is to draw attention to oneself and one’s cause, the attackers will discuss their operations on Twitter and other social media. Furthermore, a hacktivist group will also claim responsibility for an operation once it has been successfully executed. A hacktivist operation typically involves a distributed denial-of-service (DDoS) attack. Hacktivists will deface websites; hack into organizations, stealing information such as usernames and passwords, or emails, which they publish on public websites. Whatever the motivation behind such "operations," their activities are disruptive and embarrassing for the victims, and the resulting public fall-out financially impacts their brands.
In my opinion, the Syrian Electronic Army (SEA) poses a viable and significant threat against US interests. By incorrectly labeling the group as a "hacktivist" organization, the industry has marginalized this threat. A group that is capable of conducting successful operations against high-profile media sites is a group that is capable of sophisticated attacks against highly visible and presumably well-defended targets.
However, since the media did not consider this attack "disruptive," it was marginalized. Consider this: the SEA’s take-down of a high profile media site could just as easily have been a take-down of an online banking site or an online retail site. The ability to affect how a company conducts transactions and thus makes money is the ability to affect its bottom line. But no big deal, let’s just chalk this up to "hacktivism", right?
I think not. If a large retail organization were to be taken offline during the holiday shopping season, the repercussions would be far-reaching, and I am quite certain the organization would consider this a big deal.
When did the SEA graduate from hacktivism? I’d say right after they hacked the AP Twitter account and caused the stock market to fluctuate in less than 140 characters. Their fake news alert was an operation that did undermine the US economy.
Attempting to place threat actors in neatly defined categories is difficult and not altogether wise. That said, let’s examine a few definitions.
Hacktivism: "The practice of gaining unauthorized access to a computer system and carrying out various disruptive actions as a means of achieving political or social goals".
Terrorism: "The unlawful use or threatened use of force or violence by a person or an organized group against people or property with the intention of intimidating or coercing societies or governments, often for ideological or political reasons".
Cyber Warfare: "Cyber warfare involves the actions by a nation-state or international organization to attack and attempt to damage another nation's computers or information networks".
On the strength of these definitions, I would rule out the SEA as a hacktivist group. I would, however, propose that the SEA falls into both the "terrorism" and "cyber warfare" categories, or at least that it lies somewhere in between, perhaps a combination of the two -- a category we could refer to as "guerilla cyber warfare".
Classifications aside, what we should not do is marginalize a group’s capabilities. This will affect the way we protect critical systems against groups that "cross over" from hacktivism to operations that are well-defined. Terrorism and cyber warfare can have catastrophic consequences for the US and its interests, or for any other country. Would an infrastructure be defended differently if it was known to be the target of cyber warfare or terrorism? I would hope the answer is a resounding "yes".
As security experts, it’s our job to protect infrastructures against cyber threats, regardless of the identities of the threat actors -- they only need to get it right once, we have to get it right every time.
NSS Labs Research Vice President John Pirc is a noted security intelligence and cybercrime expert, an author and a renowned speaker, with more than 15 years of experience across all areas of security. The co-author of two books, “Blackhatonomics: An Inside Look at the Economics of Cybercrime” and “Cyber Crime and Espionage”, Pirc has been named a security thought leader from the SANS Institute and speaks at top tier security conferences worldwide.
Pirc’s extensive expertise in the security field includes roles in cybersecurity research and development for the Central Intelligence Agency, Chief Technology Officer at CSG LTD, Product Manager at Cisco, Product Line Executive for Security Products at IBM Internet Security Systems, Director of McAfee's Network Defense Business Unit and, most recently, Director of Security Intelligence at HP Enterprise Security Products, where he led the strategy for next generation security products.