Does the rise of Anonymous and LulzSec herald a new online era? Does it represent a fundamental shift in the landscape that suddenly changes everything? Let's take a fresh, clearheaded look at what's been happening lately.
Online protest is a perfectly natural and predictable phenomenon. Just as a continuum exists in real life ("IRL," as my kids are saying) between nonviolent protest and destructive, violent rage, the same continuum exists online between mainstream websites going dark to peacefully protest SOPA/PIPA last month, and people who feel that nonviolent protest is inadequate to spur necessary change. When it comes to protest, a well-worn set of philosophical and political arguments apply to violence and nonviolence, regardless of whether one chooses the digital or the analog world as a venue for protest. (Further reading: Henry David Thoreau, Martin Luther King, Jr., and Leo Tolstoy, contrasted with Leon Trotsky, Malcolm X, and George Orwell.)
The potential for an innocent bystander to be harmed by online protesters, however, may exceed the potential in the real world, where it is more risky to commit violence. After all, in physical space you can be seen, you can be tracked, you can be arrested, you can be jailed. These risks are more easily mitigated online than they are IRL. If the risk of being caught factors into a protester's calculus about whether to use violence, then online violence is simply a more logical choice than physical violence. While international authorities have recently engaged in conspicuous enforcement activities, these actions may have little impact on the mindset of groups and individuals that make up hacker collectives. Online violence is still an option for those who choose to employ it, and changing this fact without ruining the Internet will be monumentally difficult.
This leaves enterprises in a sort of "wild west" state, as I argued in my "Lawless" blog post last year. Society's real-world defenses don't map very effectively to the online world, leaving us to try to defend ourselves as best we can. And against a potential infinity of attackers, that is a very difficult task indeed.
My recommendation for enterprises is to expand their security thinking. Guns, guards and gates (real and virtual) will always be a part of the picture, but there's much more to do:
- Be a good citizen. If you see yourself as a target, examine whether communicating more effectively about your mission and the reason you are targeted could reduce your prominence as a target. If you are in an industry typically seen as hostile to online activists--for example nonrenewable energy, certain governments, defense contractors, the financial sector, old media and so on--this may be impractical. Call it capitulation if you wish; I call it pragmatism.
- Concentrate on what works. Understand how you use the Internet, and do as much as you can to enumerate and whitelist approved activity. Use technology to prevent what isn't permitted, and keep your eyes peeled for anomalies. This reminds me of Winston Churchill's observation about democracy: it's the worst possible approach to securing a network…except for all of the others. It's hard work that requires planning and diligence, but in a complicated world it's the most predictable, reliable way to limit your attack surface and reduce risk.
- Train and trust your people! Social engineering isn't a new phenomenon, but human beings are more important than ever to the infection process. If you can help them to improve their habits when it comes to opening e-mail attachments, using mobile devices, responding to unsolicited communication or keeping their systems patched, that will produce security benefits that extend well beyond your borders.
Josh Corman and Brian Martin are looking at this topic quite closely, having participated in a panel discussion about Anonymous at DEFCON last year. They're gradually releasing installments of a 7-part series called "Building a Better Anonymous" that is quite insightful.
How do you see Anonymous? Is online activism prompting you to adopt new strategies? We invite your comments.
I am not sure that businesses are concerned about being tarred by the ire of Anonymous. The risk of data loss was made clear by the issues with Sony last year, being singled out by Anonymous doesn't mean that you are a bad person since they joined with lulzsec. What it does mean is that you were low hanging fruit. The image that Anonymous likes to put out there, of a group of super hackers that can do as they wish blunts the point of their campaign against poor security. Companies can point to the evil hackers as easily as they can point to an earthquake when explaining an incident to their customers. Things seem to have very little impact on brand value already, as companies have worked out better ways of dealing with the occurrence.
Posted by: Mike | Sunday, February 26, 2012 at 09:26 PM