The scale of the WikiLeaks’ information release and the responses on all sides demonstrate the emergence of new harsh realities for security, privacy, transparency and protest. Companies and governments alike will be vulnerable. In recent weeks Shaping Tomorrow has raised the issues of the rise and changing nature of cyber-crime, new forms of protests, the vulnerability of corporate reputations. The ongoing WikiLeaks events reflect the merging of these issues into a more complex and unstable reality.
What is changing?
The scale of the WikiLeaks information release shows that security services and companies alike are working in a new reality. Documents and ‘confidential’ information are not only much more accessible, but they are more transportable and more ‘sellable’ to either legitimate media outlets or criminal organisations.
The scale and speed of the Denial of Service attacks by WikiLeaks’ supporters on organisations such as Visa and PayPal, which withdrew services and support to the organisation, indicates a new reality in hacktivism. It has been described as a wake-up call for companies and governments. The anonymous use of downloadable software, automated botnets, but also the ease of generating and coordinating large numbers of active supporters via social networks have all created a new level of focus, scale and speed of attack. Now that the tools are available and how to use them is clear, so other protests/ attacks will be that much easier to organise and more likely to occur.
The tone and nature of the rhetoric is hardening attitudes on both sides. Calls by the US Presidential hopeful, Mike Huckabee, for the execution of the whistleblower, the description of the WikiLeaks’ revelations as the ‘September 11 of world diplomacy’ the name of the hacktivism campaign as ‘Operation Payback’ on the ‘enemies’ of WikiLeaks –indicate growing confrontation and antagonism. The recent demands by the US government for the personal details of key individuals – including an Icelandic politician – have been greeted with dismay and resistance by many. There have been comments that if other governments had made similar demands the USA would have been protesting, not demanding.
Changes in the wider political and economic arena are further stoking the potential for conflict and hacktivism. The growth of single issue politics, the escalation of rhetoric in mainstream politics and the media, the continued economic uncertainty and perceived inequity of job losses and bonuses, plus the increasing willingness to resort to violent protest to make a point, all indicate a growing likelihood of greater levels of hacktivism in future.
Why is this important?
We live in an increasingly connected, transparent, smart world. That level of connectedness will grow significantly as inbuilt intelligence and levels of automation – e.g. of cars, shopping and travel, grows; as the use of mobile phones to organise, manage, review and pay for our lifestyles increases; as companies become ever more reliant on the cloud and the internet to do business. That growing connectedness will mean increased vulnerability for anyone and everyone, all organisations, services and infrastructures and even nations and governments. Young people are beginning to find a voice again as protests about job losses and unemployment, cuts and price rises grow. There are also growing concerns about the emergence of a lost generation of unemployed young people with unemployment rates of 40% among this age group in some countries. Most hacktivists are young men under the age of 25. A growing sense of desperation, lack of hope and opportunity, and perceived alienation from and powerlessness within mainstream politics may make them, and others, more willing to adopt hacktivist tactics. It may also provide a sense of identity and kudos, adrenalin and excitement, an image of themselves as ‘David against Goliath’ ‘Robin Hood’ fighting the ‘bad guys’.
Companies and their supply chains will be increasingly vulnerable. This age group are unlikely to be interested in press releases and PR. They are sceptical and cynical about ‘the establishment’. If an issue arouses their anger they will be increasingly willing and able to resort of hacktivism. Any number of issues, actions, decisions, rumours and allegations, perceived injustices or unfair treatment could act as a trigger for external but also employee led hacktivism. As yet, only a relatively few high profile and much reported incidents have occurred, relative to the total amount of internet traffic and number of websites. Companies will need to identify their potential areas of vulnerability, consider the potential perceptions of actions, review the security and trackability of key intelligence and sensitive information, examine the fairness, truthfulness and consistency of their actions and statements at all levels. Any aspect of their own business, or those of their suppliers and customers, may become a target if they are seen to be ‘double dealing’, ‘being hypocritical’, ‘suppressing or biasing research findings’. The ease with which such attacks can be organised is likely to make them a more popular mode of action.
Organisations will need to review data security in new ways. They may need to have even more extensive, possibly even separate parallel internet service providers in place; continue to investigate and review the nature and growth of the threat on an ongoing basis – both from protest related hacktivism, but also the growing criminal threat as well; ensure that their own internal responses to increase data security do not hinder the exchange and sharing of data such that they reduce the ability to compete or work effectively; work with suppliers to ensure that the quality and provenance of products, processes and procedures are such that they do not become vulnerable by default. Governments may also be vulnerable. China, Israel and Russia, among others, are seen as having encouraged the development and use of ‘nationalist hackers’ to attack others, the attack on Estonia being one of the first and most prominent. If circumstances change and disaffection and protest increase, then these well trained and experienced groups could become an internal threat able to undermine the regime. Secondly, governments may be less able to monitor and track security threats if, as a result of the original leaks, they reduce the availability of and access to different types of information such that important pieces of a jigsaw of data are not available to make an emerging threat visible.
And, in amongst all this, there are real dangers and threats to legitimate protest, the justifiable exposure of real issues and companies’ bad or even criminal practices, genuine freedom of speech and clear boundaries to personal privacy. The boundaries between all of these are blurring and the reactions by the media, companies, security services and governments in response to the undoubtedly real threats could both reduce our ability to respond as well as damage wider freedoms.
We at Shaping Tomorrow continue to review our own responses, are you? We would be interested in sharing ideas and hearing your thoughts.