Even though the name may conjure up dire images to the contrary, hacktivists are not after the corporate database. Rather, the primary target is usually a company’s reputation.
“We haven’t seen any cases where the people doing the protest even got close to or were intending to compromise data,” said Electronic Frontier Foundation Legal Director Cindy Cohn. “‘Hacktivism’ is a euphemism. It’s closer to ‘activism’ than it is to ‘hacker’. The addition of the ‘h’ is more a whimsical indication that this is going on online as opposed to offline.”
Most incidents of hacktivism resemble denial-of-service-type attacks against corporate or government Web sites and mass, automated email campaigns intended to overwhelm servers with protest messages, said Paul Miller, a researcher with London-based Demos, a public policy think tank.
Even though Miller and others contend hacktivism is more an issue for corporate image managers than the IT department, he does expect online protests to increase as more of the world gets connected and organizations, corporate and otherwise, rely on the Internet for commerce and marketing.
“Generally, it’s not actually the physical damage or the IT damage that these sorts of campaigns make,” said Miller. “It’s more the reputational damage. They’re generally looking to make a point, make a splash. They’re using this as a tool to get into the media.”
Denial-of-service attacks are actually on the decline said Dr. Sandor Vegh of the University of Maryland, who studied hacktivism for his dissertation this year, because new technology makes it harder to overwhelm networks and servers these days than even a couple of years ago.
Andrew Bichlbaum, a founding member of The Yes Men, which is currently running a parody Web site to protest Dow Chemical’s Bhopal, India policies, confirmed Miller’s ascertains saying his group is simply engaged in the online equivalent of a 1960s sit-in.
“There’s no technology involved at all besides a bit of HTML for the website,” said Bichlbaum.
Dow declined to be interviewed for this article. Rather the company issued a statement saying it respects the rights of The Yes Men to speak out but feels it is not proper to mislead people by using Dow’s images or to attribute statements to Dow or its associates.
The Yes Men are somewhat infamous for a WTO parody Web site (www.gatt.org) that got the group invited to speak four times by groups thinking they were WTO representatives. Bichlbaum even spoke on CNBC’s Market Wrap and no one was any the wiser. Even with these successes, however, The Yes Men have since given up updating the site since “horrifying people wasn’t working,” said Bichlbaum.
“The point of all these actions isn’t to show people are stupid to invite us or not to check,” he said. “What’s really the point is to show what’s wrong with the WTO.”
Outlawing Legitimate Protest?
In the future, however, any response may be unnecessary if separate legislation working its way through the European Union and U.S. Congress making some hacktivist tactics a crime passes, said Vegh. According to EFF’s Cohn, denial-of-service attacks intended to crash an organizations server are already illegal.
“The issue is…by lumping it all together they may outlaw legitimate protest,” he said. “Where you draw the line, that’s exactly the issue right now. From an IT point of view, the more they outlaw the better.”
Unless hacktivists are actually breaking existing law concerning computer crime (see the Computer Fraud and Abuse Act of 1984), there really isn’t any legal action a company can take, said Cohn, because protesting, online or otherwise, is not crime. Parody, for example, is protected by the first amendment.
Most hacktivists, asserts Cohn, want their actions seen as activism anyway and not mistaken for more malicious activities. As a whole they are concerned about diluting their message and losing converts if their activities are seen as illegal, she said. Often groups will contact Cohn to see if their activities are crossing a legal line somewhere.
Her advice to IT managers is not to jump to conclusions based on mainstream media reports, but to educate themselves about the differences between hacktivism and hacking before beefing up their defenses.
“Before you take steps to triple modify, triple protect your network against these sorts of people you owe it to yourself to read what these people are doing as opposed to just labeling,” she said.