Does Anonymous get scarier right before big cybersecurity votes?

Feds touted Anon as enemy No. 1 before SOPA; as CISPA approaches, warnings about Anon increase

You know how you can tell Congress is about to vote on a cybersecurity bill that restricts civil rights, contradicts the open-Internet mantra preached to authoritarian regimes and gives federal law enforcement more power than the Internet Gods themselves?

Anonymous suddenly becomes a lot more threatening.

The Cyber Intelligence Sharing and Protection Act (CISPA), which critics call a more abusive version of the SOPA bill that was shouted off Capitol Hill earlier this year, comes up for debate in the House Thursday and goes to a vote late Thursday or Friday.

It has a good chance of passing the House, though it will face a fight in the Senate, according to those who follow such things.

Its chances get better if people are too worried about being hacked to get really up in arms about a bill so off target that both security specialists and civil-rights defenders hate for legalizing cyberspying and the subversion of the Bill of Rights.

What scares voters into staying away in droves from the Internet sites that led the rebellion against SOPA?

Anonymous.

It may or may not be a coincidence that the vote is in the week security vendor Bit9 chose to publish a survey warning about the danger of Anonymous and other hacktivists (packaged as a convenient infographic digestible by the non-technical).

According to a survey of 1,800 IT security people, Bit9, reports, Anonymous is the leading threat on the Internet.

It's not, of course. At least not any more than it was a week ago, or a month.

It's just that it's far easier to sell a restrictive security bill if you frighten people first with a bogeyman like Anonymous, which is more of a threat to companies that behave like robber barons than to more typical organizations that don't go out of their way to quash or deny the right to the Internet or to protest.

Attacks on Visa and Mastercard in 2011 and the CIA – plus a corporation or two – in 2011 and 2012 demonstrate the threat of hacktivist attacks from Anonymous are very real, of course.

It's just that the level of threat stays pretty much the same over time.

The chance Anonymous is about to do something disastrous doesn’t suddenly shoot up in real terms in the week or two after some law-enforcement agency or security vendor publishes an analysis or survey saying for the thousandth time that members of Anonymous are hackers who have hacked before and may hack again.

That endorses Bit9's finding that almost two thirds of IT security people are concerned about the threat from hacktivist groups, 61 percent think their companies will be attacked in six months or that Anonymous was the first culprit they thought of when imagining the attacks to come.

Of course they're worried about attacks from hacktivists and from Anonymous in particular. Anonymous is not a group of criminals willing to do their work and keep their mouths shut. Anonymous is trying to change attitudes, policies and politics.

Anonymous is pugnacious, but not randomly dangerous

For a shadowy, secretive organization, Anonymous does a good imitation of an attention whore with a cause.

That's the "activist" part of "hacktivism." When Anonymous attacks something or threatens to attack, people recognize the name, understand the threat could be legitimate and react to it – sometimes by tightening their security precautions and policies, more often by wailing and gnashing their teeth over the threat from hacktivists, not their own failure to improve the precautions against them.

Two data bits from Bit9's own survey contradict the supposition that Anonymous is the apocalypse and only CISPA can save us:

First, the security people in the survey who said they work for the federal government, far more said their biggest fear is digital espionage or attack from China, Russia or other nation-states than said they worried about Anonymous or other hacktivists.

Attacks from Chinese cyberspies cost the U.K. $43 billion, according to a report from the British Ministry of Defence's Cyber Security Program in October.

Federal agencies are in a more direct line of fire from hacktivists like Anonymous than any individual company, because there are fewer of them and the government is the primary target of protesters.

Federal agencies also have Congress' ear to a much greater degree than the private sector when they complain about security risks.

If legitimate complaints about security were behind CISPA, you can be Congress would put far more effort into protecting the military, political and taxpayer information at government agencies than they did to protect the intellectual property of Sony, whose various networks and divisions were hacked 18 times in one long, orgiastic series of attacks last summer.

If the security wonks at those agencies put nation-states like China and Russia at the top of their list of most-likely attackers, is it accurate to consider Anonymous the biggest threat?

Second: No, it's not accurate.

When asked about specific kinds of threats to which they might be vulnerable, 45 percent said malware was the biggest risk, followed by spear phishing (16 percent) and drive-by malware downloads (13 percent).

The main weapons of Anonymous, MalSec, LulzSec and the rest of the brothers of the coast – distributed denial of service (DDoS) and SQL Injection attacks – worried only 11 percent and 4 percent of respondents, respectively.

Where are the real cybersecurity risks?

For a little perspective, the 4,300 people interviewed for the annual Security Threat Report from Sophos listed sloppy user security, social networking scams and malware as the most significant security threats for this year.

Weak passwords, botnets, misconfigured cloud-computing security, negligence and data-leaking mobile devices are all larger threats to most companies and individuals than hacktivists, according to veteran tech columnist David Coursey, in a January Forbes opinion piece.

Most ominous of the growing, underappreciated threats are social-engineering attacks launched through social networks and spear phishing, Coursey wrote.

The biggest threat, the one IT divisions of global corporations have to reorganize and retool to counter, is remarkably similar to the threat government security geeks fear, according to an annual cyber risk report from the Security for Business Innovation Council (SBIC): "advanced persistent threats" from sophisticated cyberspies using malware, spear phishing and other methods to find a way in to a targeted company to weaken it through sabotage or espionage.

Cyberwar isn't just a theory among global corporations, the report found. It's a daily struggle.

Forget Anonymous; worry about malware

Anonymous is present in all those other threat reports, but it's not at the top of the list of dangers.

Purposely or not, Bit9's new survey reinforces the idea that Anonymous is the biggest threat on the Internet, even though its own data show that the biggest single threat is from Chinese cyberspies using spear phishing and malware to help crack specific targets. That is the typical MO in years-long series of attacks on military and government institutions, which most insiders blame on China, so it's more than convenient the three are among the most-cited risk.

Unfortunately for those of us who have to wade through the hype of vendors and lobbyists pushing for CISPA and against an open Internet, it takes some determination to uncover the artful misrepresentations and replace the misleading omissions.

It's not that CISPA proponents like malware or hate Anonymous inappropriately. It's just that most people who are aware at all of digital security have heard of Anonymous and may feel threatened by them.

As Bit9's survey shows, Anonymous is the first name that comes to mind when the topic is cybersecurity.

The amorphous threat of foreign spies hacking a computer over which you hold no responsibility and impersonal threat from malware are both less visceral and harder to name quickly when someone asks you to name the one thing you fear most on the Internet.

It's just too bad Bit9's respondents didn't have a moment to think before responding; their No. 1 threat might very well have been the punitive, destructive CISPA, rather than Anonymous, which at least claims to be fighting to uphold Constitutional protections instead of eliminating them.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies