Can Anonymous force its victims to reconsider their actions?
Hugh Thompson, an adjunct professor at Columbia and program committee chairman of the RSA Conference, got me thinking that, in the face of hacktivism, security these days also means deliberating business practices.
If Bay Area Rapid Transit (BART) knew that its decision to temporarily cut mobile service at four of its stations would result in naked photos of its communications director appearing online, it may have kept the web up and running for commuters.
And if handbag-maker Coach knew that its support of the very controversial Stop Online Piracy Act (SOPA) would result in a group called UGNazi hijacking its DNS records to divert traffic elsewhere, maybe it would have kept its focus on satchels and clutches.
Sony, Coach and BART are just three names on a laundry list of recent "hacktivist" victims -- one which has been steadily growing over the last 12 months. As social movements such as Occupy Wall Street take hold on the streets to protest corporate and government wrongdoing, groups such as Anonymous seem to be guarding the cyber skies in the name of exposing and embarrassing its targets.
Within the security industry, much has been made of the new risk that hacktivism poses to organizations. So while organizations work to better equip themselves with the people, processes and technology to defend against this threat – all great measures, certainly – they may also want to consider an additional, and perhaps far simpler, tactic: conversation.
Hugh Thompson, the program committee chairman of the RSA Conference and an adjunct computer science professor at Columbia University in New York, thinks it makes sense for companies to, at the very least, weigh the consequences of their business decisions and practices as they face this new hacking phenomenon.
Last week, I chatted with Thompson about hacktivism, and he told me that organizations must adjust their security model to become more adaptable and nimble in the face of today's attacks. That means accepting that failure will happen and becoming more agile and competent in responding, all within the context of risk.
But decision-makers may also want to consider who they're going to tick off when they decide to do something, he said.
The corporations and government agencies targeted by the likes of Anonymous and LulzSec wield tremendous power, so it's hard to believe they would ever publicly cower to online activist attacks, which often fall into the illegal category, I should add.
But they might become more proactive in their corporate strategy, at least. After all, in Sony's case, it was ultimately hit more than a dozen times, millions of users were impacted, its leaders publicly apologized, and it certainly suffered reputational harm, particularly when the PlayStation Network was offline for weeks. Even when it knew they were coming, Sony couldn't stop the hacks. It still can't."Maybe if it was today, [Sony] would have decided the other way," Thompson told me, referencing the Hotz lawsuit.
"The scope of security has to expand," he added. "The company really is in this ecoystem. Security is a huge function of targeting, as opposed to what you have done to defend your organization."
In other words, if you're not a target, you're probably in much better shape. That's not to say anyone should ever be forced to walk on egg shells – capitalism has dealt with its fair share of blows lately, but it still remains the foundation of our economic system. And some choices an organization makes just aren't going to be loved by everyone (or Anonymous). That's a fact of life.
But if having these boardroom conversations means an organization like Monsanto, for example, which was hacked last year by Anonymous, will become a more compassionate, principled and ethical player in our world than it currently is, I'm all for the shift in corporate mindset that may result from the threat of hacktivism.
Color me skeptical for now. The power elite are a difficult bunch to win over.