Today any government can suddenly find itself the center of worldwide attention after a divisive event, drawing the unwelcome attention of hackers with a political agenda. Here’s how to prepare.
“Tim Robertson” has a nice house. It’s a three-bedroom, two-bath American Craftsman, built in 1906, with an American flag flapping on the porch under a canopy of trees that are nearly as old as the house itself. His lawn is neat, just like his neighbors’ yards. Tim seems like the kind who does for himself, so the lawnmower is probably stored in the detached garage, which is out back. You can see it in the satellite image of his property, which is just an 18-minute drive to his office in the city. Yes, it’s just the brand of classical beauty that every American is raised to believe he will one day own.
Tim’s second wife has dropped a few hints that they might move closer to her sister, but he’s moved 12 times in the past 20 years, and at 47, with the kids out of the house, he’s ready to settle down. And besides, when Tim finds something he likes, he tries to stick with it. It’s why he’s had the same phone number for 19 years, the same email address for 16, and it’s why he still uses AOL as his Internet provider. At least, that’s what his IP address shows.
Tim doesn’t have the patience for social media and seems to have gone out of his way not to air any personal business online. And although he’s well educated, having attended two of America’s most esteemed learning institutions, what Tim may not be aware of is that with just two hours of research and $22.31 invested, a journalist from the other side of the country was able to compile a comprehensive profile on his personal life, family, work and criminal history (Tim ran a red light in 2012, but is otherwise clean). Such an investigation is harmless only because the experimenter harbors no ill intent where the mostly law-abiding father of two is concerned, but if a hacktivist group like Anonymous were to decide, for whatever reason, that Tim Robertson was the enemy, all it would take to destroy his life is a little bit of gumption.
Scouring the Internet for information about a target and then publishing it to defame or intimidate — doxing — is one of the hacktivist’s most powerful tools. Unlike distributed denial-of-service (DDoS) attacks, network breaches and misinformation campaigns led via social media, doxing is invasive, unstoppable and legal. Most people don’t mind having pictures of their families, homes and pets online for all to see, tagged by date and geographic coordinates, because most people don’t have malicious enemies fueled by political indignation and a sense of justice informed by the Old Testament.
Protests following the death of Michael Brown in Ferguson, Mo., were complemented by hacktivist assaults on digital infrastructure that included DDOS attacks, SQL injection attacks and a phishing campaign. Photo by APImages.com
When Michael Brown was fatally shot by a police officer in Ferguson, Mo., late Saturday, Aug. 9, 2014, state and local governments there had more problems than they could handle by Monday morning. Before mistakenly doxing an innocent bystander, Anonymous released St. Louis County Police Chief Jon Belmar’s home address, phone number and a photo of his house. Photos of the chief’s daughter and wife soon began circulating on Twitter, accompanied by veiled threats against his and his family’s safety.
The Anonymous vigilante assault also included DDoS attacks, SQL injection attacks and a phishing campaign launched against the digital infrastructure of Missouri state government, law enforcement agencies and regional governments that weren’t necessarily related to Brown’s death. It doesn’t matter who a person is or what he or she believes — the hacktivist’s shotgun approach to retribution means that anyone might wake up to find they’ve become collateral damage in the next big furor.
The targets of Anonymous’ ire all share in common some violation of the group’s moral code, usually a perceived abuse of power, but its targets are so diverse and far-flung that it’s difficult to say who might be next. Since cutting its hacktivist teeth in 2008, Anonymous has rallied against Sony, PayPal, Visa, MasterCard, the Motion Picture Association of America, ISIS, Koch Industries, the Westboro Baptist Church, the New York Stock Exchange, and the federal governments of the U.S., Australia, Uganda, Israel, Canada, Tunisia and Egypt, along with assorted private individuals and smaller companies that each transgressed against the group’s sense of propriety in some fashion.
When Missouri was attacked by Anonymous, it was half ready. Michael Roling, the state’s chief information security officer, said Missouri did an impressive job minimizing the impact of the attacks, but if he could go back in time, there are a couple of things he would do differently.
The attacks came in three forms: DDoS attacks to disable websites, SQL injections to infiltrate databases and a phishing campaign to obtain security credentials. The state had a security plan in place when the attacks struck, but it hadn’t been fully implemented and staff weren’t quite ready, especially for the DDoS, Roling said, which started in the middle of the night on the weekend.
“Some of our better partners were sleeping,” he said. “The large DDoS partners, we had a difficult time reaching them, so that was one instance where I wish we’d have had those relationships in place much sooner. Some of the vendors wanted a $20,000 or $40,000 emergency setup fee. We had to figure out, ‘Do we want to go that route? Do we want to wake up our attorneys? Do we want to wake up purchasing?’”
Ultimately, Roling said, the attacks improved the state’s security posture. Even today, the baseline for attacks against Missouri remains elevated compared to before Brown’s death, and the state now contracts with several new vendors to manage security operations. Missouri uses a managed DNS provider, border gateway protocol and application-layer protection to mitigate DDoS attacks.
Groups like Anonymous attack their enemies to prove a point. They want to show the government, or whomever, that evil deeds don’t go unpunished. It’s out of a perceived lack of legitimate recourse that hacktivists disable websites and make personal threats, but of the 10,000 arrows fired, many land on innocent villagers. Roling didn’t shoot anyone, but he and the rest of the state’s IT team are the ones left picking up the pieces. The more time and money the state spends on its cybersecurity, the less taxpayer funding there is left for citizen services. The people Anonymous wants to advocate for are the same ones footing the $40,000 emergency setup fees and new vendor contracts. Anonymous might mean well, but pestering the state won’t stop the next race riot. It’s just another thing that poorly funded state and local governments must worry about.
“The biggest shame in all this is just seeing some governments doing nothing, and they just get pounded over and over again,” Roling said. “Anonymous goes after the easy, soft targets, and it’ll continue to go after those soft targets until they have hardened. I think the biggest thing is it impacts the citizens’ trust in their government.”
As of 2015, Anonymous has become synonymous with serious, grass-roots political movements, but the group’s more puerile roots continue to color its activism. Tens of thousands of angry street activists in Guy Fawkes masks are unlikely to be convinced anytime soon that their efforts are less constructive than imagined, because their actions do generate a lot of attention, if nothing else. And those more sensible participants who would concede that point are not the ones government is worried about, anyway. The biggest threat posed by any group lies in the most extreme elements of its membership.
Preparing for hacktivist attacks is similar to preparing for any other kind of cyberattack, said Bret Brasso, vice president of state and local government sales at security firm FireEye. “One of the key challenges, right at the outset, is the unpredictability,” he said.
Using the American legal system’s “means, opportunity and motive” device is a useful starting point for understanding hacktivists, Brasso explained. States face sophisticated attacks from other nations that have more means than hacktivists and organized crime groups might develop, and connections that create better opportunities than what hacktivists have, but hacktivists are the most motivated.
“How does one prepare for that? It’s almost impossible, because you never know when an incident like that is going to occur or if someone says something publicly that’s going to create an outrage,” Brasso said. “It puts state and local entities in a very reactive situation, and about the best they can do when something is going on like that and the media starts to focus on it is [recognize] that’s probably a good indicator that they should start to consider the possibility that hacktivist groups might take an interest.”
Preparing for hacktivism differs little from other forms of cyberdefense. Control frameworks like the one outlined by the National Institute of Standards and Technology are good road maps for governments, Brasso said. Even if organizations aren’t ready to implement every piece of the framework, they can know where they stand compared to where they should be. Tools include things like firewalls, advanced malware protection, intrusion prevention tools, vulnerability assessment tools and education to prevent simple mistakes by employees.
The Albuquerque, N.M., Police Department website went dark after police shot and killed a mentally ill homeless man. Photo by APImages.com
In March 2014, Albuquerque, N.M., faced attacks from Anonymous after police fatally shot James Boyd, a schizophrenic homeless man who had been camping in the wilderness. Albuquerque CIO Peter Ambs said that cyberattacks like those are essentially tests of how well you’ve been maintaining your security posture all along.
As in Missouri, the biggest challenge, Ambs said, is establishing all the right relationships before your city’s name starts appearing in the headlines. The attacks brought down the Albuquerque police department’s website for a few hours, and by working with groups like the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the FBI, the city was able to mitigate the attacks, Ambs said.
“I think any state or local organization is just one step away that you can’t predict, in terms of hacktivism, that a threat will appear,” he said. “It doesn’t have to be a police brutality situation. It can be anything that’s perceived as a social injustice.”
Ambs admitted that where doxing is concerned, there’s little anyone can do except not to release any personal information in the first place. “If I want to promote and tweet city information, I use the city Twitter account. We’ve got a robust social media presence with the city, and so it is a conundrum. We’re expected to be very active in the social media environment, and you just have to be smart about what’s being publicized.”
Albuquerque considers itself a leader in open data and transparency too, Ambs said, but those issues, in combination with emerging technologies like police body cameras, make the line between good practice and threat to the public servant a thin one.
“Everybody’s demanding transparency and open government, as well we should,” Ambs said, “but in the online world, everything that has a good motive also can be exploited.”
Luke Stowe, digital services coordinator for Evanston, Ill., said one of the best things governments can do when it comes to any disaster is to prepare and plan ahead. Fake social media accounts, for instance, have more influence when the government being spoofed doesn’t have a legitimate online presence to begin with.
“Make sure you have a robust social media presence up and running, because a lot of these government agencies are slow to adopt and waiting until after that natural disaster hits to start a Twitter account, [but] it’s too late,” Stowe said. “You want to build up those relationships ahead of time.”
There are many basic measures governments can take, Stowe said, like getting verified status on Twitter and using two-factor authentication, but when it comes to avoiding the release of someone’s family photos, there may not be a good answer.
“It’s the million-dollar question,” he said.
An official from the FBI’s Cyber Division, who asked to not be identified, said it’s the small and medium-sized organizations that are hit hardest by hacktivism because they’re the ones that aren’t ready. State and local governments should expect DDoS attacks and have a mitigation plan and vendor relationships in place, he said. Governments should monitor how often their networks are being pinged so they can quickly recognize when an attack has begun.
“Because the minute it starts happening, it’s kind of too late,” he said. “If you don’t already have that set up, you’re going to be victim of it and there’s not a whole lot that the federal government can do to help you during the actual attack. … The simple fact of it is if someone wants to get into your system, if you get someone who has the skill set, it’s just a matter of persistence. They’re going to find a way.”
Once due diligence has been done, the most realistic advice — both for the hacktivists who rail against immutable forces of human nature and the governments that increasingly fall victim to their flailing — comes from the author of Treasure Island, Robert Louis Stevenson, who wrote that, “Our business in life is not to succeed, but to continue to fail in good spirits.”