Last July, the FBI executed what is arguably its most public campaign against hacktivists—individuals who breach computer systems to make a political or ideological statement. On Tuesday, July 19, the G-men cuffed 12 men and two women allegedly associated with hacktivist group Anonymous for their supposed involvement in a dedicated denial of service (DDoS) attack against PayPal's website in December 2010.
The July raid appeared to be the largest public indication that the FBI was finally making headway in its investigation of hacktivist activity during a year when groups including Anonymous and LulzSec made a mockery of public- and private-sector computer systems. Between December 2010 and August 2011 alone, they broke into dozens of corporate and government networks with outrage, defiance and glee.
In fact, hacktivist activity had long been on the FBI's radar, according to Shawn Henry, executive assistant director of the FBI's Criminal, Cyber, Response and Services Branch. He first noticed it in the late 1990s, when he was working as a supervisory special agent at FBI headquarters on computer intrusion cases. At the time, hacktivism consisted mostly of website defacements, he says. Today, it's more menacing. Consider the outcomes of just three data breaches launched in the name of hacktivism:
- LulzSec's hack into Sony's PlayStation network in April 2011 is reportedly expected to cost Sony $171 million by the end of the entertainment company's 2012 fiscal year.
- When Former HBGary Federal CEO Aaron Barr threatened to expose top members of Anonymous, the hacktivist group retaliated by breaking into the security company's systems and exposing controversial and confidential emails. Barr subsequently received death threats and was forced to step down from his job.
- After Anonymous broke into the member database for Bill O'Reilly's website, a woman who's name, email address, physical address and password were exposed during the breach suffered $400 in fraudulent credit card charges and huge amounts of embarrassment after hackers posted pornographic pictures to her Facebook page and sent pornographic emails via her AOL account, according to Ars Technica.
Henry maintains that the FBI isn't motivated by hacktivist groups' ideological agendas. What matters most to the FBI, he says, is that these groups are breaking the law.
"When anybody breaches a network and steals data and then publicizes it—whether they're from a foreign country and they're using the data to help their country's industry, they sell it as an organized crime group, or they just display it because they think the company they stole it from is acting inappropriately—the fact that the data is stolen is a violation of federal law," he says, his voice rising with conviction. "Hacktivism is no different from organized crime groups or foreign governments. It's the exact same activity, perhaps done for a different reason or purpose, and it's all still illegal."
In this exclusive interview with CIO.com, Henry speaks for the first time with the media specifically about hacktivism. Though Department of Justice guidelines prevented him from discussing specific hacktivist groups and open cases, he describes the threat hacktivists pose, the challenges associated with investigating them, and the FBI's success disrupting these groups. He also has a special message for hacktivists.
CIO.com: What threat do hacktivists pose? Is there some threat that their ideology poses, in addition to breaking into computer systems?
Shawn Henry: I look at three different threats to our critical infrastructure in the United States:
[The first is] organized crime groups that primarily access the networks of the financial services sector. They steal data and monetize it to the tune of hundreds of millions of dollars a year.
There are foreign governments breaking into computer networks and stealing data from .mil, .gov and .com domain names. They steal data to help their governments compete with the U.S., to help their industry. That's being done to the tune of billions of dollars a year.
Then there are individual hackers breaking into networks for other reasons. It may be for personal interest—hacking computers to test their skills. They may be hacking into computers to make some type of a statement.
All of those groups—regardless of whether they're organized crime operating out of Eastern Europe, a foreign government, or a 16-year-old kid down the block—once they're in, they have gained control of that network. They have the ability to do a lot more than steal data. They have the ability to change data. So data integrity is at risk. They have the ability to turn off data. They can shut the network down if they gain administrative access. If I'm the owner of a network, it doesn't matter who's in my "house": If each and every one of those groups has the ability to do the exact same thing, I'm at significant risk. Anybody who has that administrative access to that network has the ability to steal data, change data and deny us access to our own data.
What makes investigating these organizations and individuals so difficult?
Henry:One of the most significant challenges is attribution: How do you identify who committed the crime? In the physical world, if someone robs a bank, we have video cameras and maybe eye witnesses. We may have evidence, fingerprints. We have clues right away. The pool of subjects who may have robbed that bank is limited to the number of people in the vicinity of the bank at the time of the robbery.
In the cyber world, the pool of candidates is limited to anybody who has access to an Internet connection at any time in the world, regardless of where they're sitting. That increases the pool of candidates. [Moreover,] the evidence we have is digital. It's fragile. It's transient.
Regardless of who the actor is, intrusion investigations by nature are complex. They're most often international in nature—they have some international nexus—whether beginning or ending overseas.
There are advantages to working these cases. The biggest advantage for us is the partnerships we've developed internationally. Many countries around the world recognize that this is a worldwide problem. We've had a lot of success working with our partners internationally.
How can you say the FBI has been successful when a hacker claiming to be affiliated with Anonymous recently launched a successful attack on CLEAR (Coalition of Law Enforcement and Retail) that resulted in the exposure of the names, phone numbers, email and home addresses, and passwords of more than 2,400 law-enforcement, federal, military, loss-prevention and corporate professionals? And last month, Anonymous and TeaMp0isoN announced a new attack on major banks.
Henry: We've had success in the U.S. against cancer, but thousands of people die from cancer every year. We've had success in organized crime. There's still organized crime in this country, but we've arrested thousands of people involved in organized crime over the years and put heads of organized crime in prison.
To say we haven't been successful because we see activity, you have to look at the totality. We have been successful in this area. There are some statistics that have been published on the number of arrests we've made. It's not near the totality of our success in this year. We've identified people. We've arrested people in intrusion cases—in many cases, people who have impacted major networks, people who have stolen millions of pieces of data, people who have been responsible for tens of millions or hundreds of millions of dollars in damages in the U.S. A lot of our successes aren't publicized&for operational purposes.
Final Thoughts From Henry to Hacktivists
"My organization is a believer in civil rights and civil liberties, and the first amendment is something I hold very dear personally and professionally. I have no problem with people picketing and protesting in the street. I get all that. But the freedom for me to swing my arm ends where your nose begins. If you are impinging on others' rights, that's illegal.
"I encourage people to promote and express their views. We in this country have probably the most robust system to enable that. We have laws that allow people to express their views. We have so many freedoms in that area that people who violate the law are way outside their lane. There are so many opportunities for people to do it lawfully that it's irresponsible for them to do it otherwise."
Meridith Levinson covers Careers and Security for CIO.com. Follow Meridith on Twitter @meridith . Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Meridith at firstname.lastname@example.org.