Hacktivists: A Potential Talent Pool for Organizations

Considering the relative youth of the members of Anonymous and other hacktivist groups, experts at the RSA Conference discussed "rehabilitating" them in order to channel their talents.

Law-enforcement officials, IT security providers and executives at the RSA 2012 Conference were concerned about the kind of damage hacktivists can cause on networks and on a company's reputation. Still, while some see chaos, others see potential, and a panel of experts worried about all this technical knowledge going to waste.

Eric Strom, unit chief of the Federal Bureau of Investigation's cyber-initiative and resource fusion unit; Misha Glenny, a journalist; and Grady Summers, a vice president from Mandiant, joined Jeffrey Brown, a senior correspondent with "PBS NewsHour," for a panel on hacktivism at the RSA Conference in San Francisco Feb. 29. The panelists agreed that many of the hacker collectives online, such as Anonymous, were primarily political movements rather than criminal organizations.

For many of the members, the Internet is part of their lives, and computers and mobile devices integrate their digital and physical identities seamlessly. Hacktivism would be the preferred method of protest for a group comfortable with online life, Glenny said.

The groups are full of "skilled young people who are persuaded to go to the other side," said Glenny.

Anonymous is primarily viewed by members as a political movement, and its methods are political tools of protest, much in the same way marches and sit-ins were part of civil disobedience in the physical world. While organized criminals do recruit individual members for criminal activity or attempt to direct campaigns in a way to benefit their interests, for the most part, groups like Anonymous are political.

It is difficult to draw the distinction between what is a legitimate protest and what is illegal, said Summers. While launching distributed denial-of-service attacks are illegal, it's not always clear how taking a site offline is more disruptive than physically protesting in front of an organization and preventing it from doing business, he said.

For many organizations, last year was the first time information security was even mentioned in front of the board of directors. Hacktivists aren't just a security concern for organizations, but also a public relations issue. Regardless of whether a cyber-incident was the work of Anonymous, and if it is an advanced persistent threat (APT) or something else, organizations still need to respond.

Anonymous has no formal hierarchy or organizational structure. A small group of highly skilled individuals influence other members, who are usually less advanced and younger, panelists said. Much of the activity in Anonymous' operations is carried out by younger members who are excited to be part of a political process.

The symbolism of the name Anonymous is incredibly "powerful," said Glenny, noting that the name shows there's no accountability and there's no way to trace the activities.

"Most of them are minors. How do we prosecute someone like that?" asked Strom. FBI agents generally wind up talking to the parents, Strom said.

A lot of people think hacktivists are just kids fooling around, but the bottom line is that they can cause a lot of harm to an organization, said Strom.

There was "not a single person in the room" who didn't know the kind of havoc hacktivists can wreak on an organization or feel "sick to the stomach" at the thought of being targeted, said Summers. But the amount of attention paid to groups may be overblown.

Even though he doesn't mean to make light of the issue, Summers is not expecting a zero-day attack from Anonymous.

Regardless of their motivation, hacktivists have forced two major changes among organizations. Their activities have increased information sharing between organizations and law enforcement, but they have also increased senior management's perception of the importance of security, said Summers.

Glenny advocated "rehabilitating" hacktivists to use their talents for the organizations, instead of against them. Instead of arresting and jailing hacktivists for taking part in the political protests, they should be hired by companies to provide insight and real technical skills, said Glenny.

"If your only skill is using a computer, and you're not able to do that, I think that's likely to put you back into the underground," said Glenny.

Summers didn't think it was likely that organizations would take on the responsibility of bringing hacktivists on board. While some companies have hired hackers in the past, there are others with a clear policy against the practice.

While hacktivists were for the most part young€”between 14- and 22-years-old€”there are professionals and IT employees also taking part in these activities, said Strom. The older members often have enough skills to be hired as professionals. The younger members have skills that could be transferred to other uses, and it is important that officials try to divert their interests while they are still young, said Glenny.

"We have a lot of talent out there and we should start to think of developing methods so we can find incentives to channel those talents before it happens," said Glenny.