Jerry Brito

Why security professionals love Anonymous

In the past I’ve suggested that Anonymous, given their notoriety, is a convenient bogeyman for those who want to alarm the public about cybersecurity. Gen. Keith Alexander reportedly said in a closed-door briefing that Anonymous may soon acquire the ability to take down the power grid, but he probably knows that’s unlikely, and that the true threat is from foreign militaries. Yet Anonymous is something ordinary people have heard about and likely find unsettling. Rounding up her reporting at the RSA security conference, Nicole Perlroth seems to confirm my suspicions of how security experts use Anonymous:

‘WE LOVE ANONYMOUS.’ Contrary to conventional wisdom, security folk love Anonymous, the loose hacking collective that says it has taken on groups as diverse as the C.I.A., Interpol and Stratfor. Several security experts I interviewed called the group “a welcome wake-up call.” For years, chief information officers had to pound their fists on the table to convince their bosses to allocate more resources to information security. Now Anonymous does that for them. “Anonymous added a silent ‘J-O-B’ before security,” one conference attendee said. “The more companies they hack, the more vulnerabilities get exposed, the greater our job security.” He spoke—no pun intended—on condition of anonymity.

There’s a silver lining here. Anonymous (and especially LulzSec and Antisec) have made a sport of breaching corporate and government systems, thus forcing CEOs to pay attention, take security more serious, and ask tough questions. It’s a discovery process. This is the market at work. It’s not perfect or instantaneous, but the results will likely be more robust than equally slow top-down regulation.

Why Anonymous will never be able to take down the power grid

Last week the Wall Street Journal reported that government officials believed that the hacktivist group Anonymous might in a couple of years time acquire the capability to take down the power grid. The digerati did not care for such alarmism.

One critique of the report (mine) was that the paper’s reporting was third-hand and credulous. Another widely espoused criticism was that attacking critical infrastructure did not fit the modus operandi of Anonymous. It simply would have no motive to cause widespread damage; quite the contrary, Anonymous sees itself as fighting for the people against the powerful.

Now a new article by Thomas Rid of the War Studies Department at Kings College London makes me think that even the notion that Anonymous could acquire such a capability is highly questionable. Rid’s thesis is that the more destructive a cyber weapon is, the more expensive and difficult it will be to produce, especially in terms of the intelligence needed about the target. And as a consequence, such cyber weapons will be very specific to targets, not easily repurposed, and unlikely to cause collateral damage. He writes:

A thorough conceptual analysis and a detailed examination of the empirical record corroborates our hypothesis: developing and deploying potentially destructive cyber-weapons against hardened targets will require significant resources, hard-to-get and highly specific target intelligence, and time to prepare, launch and execute an attack. Attacking secured targets would probably require the resources or the support of a state actor; terrorists are unlikely culprits of an equally unlikely cyber-9/11. The scant empirical record also suggests that the greatest benefit of cyber-weapons may be using them in conjunction with conventional or covert military strikes, as Israel did when it blinded the Syrian air defence in 2007. This leads to a second conclusion: the cost-benefit payoff of weaponised instruments of cyber-conflict may be far more questionable than generally assumed: target configurations are likely to be so specific that a powerful cyber-weapon may only be capable of hitting and acting on one single target, or very few targets at best.

The record of cyber attacks, such as it is, seems to corroborate this idea. DDoS attacks are common, while cyber weapons like Stuxnet are rare and highly targeted. (So targeted, in fact, that over 100,000 computers have been harmlessly infected with Stuxnet.) Malware that can steal information or zombify computers to be used in DDoS is general purpose. Asa result, thousands upon thousands of machines are compromised. In contrast, SCADA systems used in critical infrastructure are so specific that known attacks are very few and very caveated.

If Rid is correct, it’s not clear to me how Anonymous could acquire the capability to successfully attack critical infrastructure. Anonymous would have to, in secret, select one specific target, then gather serious intelligence on its SCADA installation, then find a vulnerability to exploit, and do this in an environment in which critical infrastructure providers are taking greater notice of cyber risks. This is the sort of operation that would seem to require centralized planning and staunch discipline, two attributes that with all due respect I wouldn’t ascribe to Anonymous.

Anonymous could take down the power grid? Third-hand info says yes

The director of the National Security Agency has warned that the hacking group Anonymous could have the ability within the next year or two to bring about a limited power outage through a cyberattack.

That’s the lede of the article “Alert on Hacker Power Play” in the Wall Street Journal today. But NSA chief Gen. Keith Alexander isn’t quoted. It’s reported by anonymous sources that he said this at a private briefing.

What was the context for Alexander’s remarks? Who knows. And what’s the extent of the threat he outlined? Anonymous has never before threatened infrastructure, and it’s not clear what their motivation would be now. But according to the article,

A stateless group like Anonymous doesn’t yet have that capability, officials say. But if the group’s members around the world developed or acquired it, an attack on the power grid would become far more likely, according to cybersecurity experts.

Shorter version: Anonymous doesn’t have the power to attack the grid, but if they were able to get it someday, then they would have it. Got it.

The article is by Siobahn Gorman, who often writes articles about cyber threats based on anonymous government sources. In a competitive news market, that’s nothing to begrudge. But, it is problematic when press accounts based on anonymous government officials then become the evidence used by government officials to support an expansion of government power. One example is Gorman’s article on the power grid being penetrated by Chinese and Russian hackers. That article has been cited by members of Congress as evidence of a serious cyber threat in need of a legislative response. I wonder who in Congress will be the first to cite this article and the threat Anonymous poses to the power grid.

Anonymous has already responded (to the extent Anon can):

Why would Anons shut off a power grid? There are ppl on life support / other vital services that rely on it. Try again NSA. #FearMongering

— Anonymous (@YourAnonNews) February 21, 2012