The days of hacking with impunity, without any consequences or risk of penalty, may one day soon come to an end. A case in point is the rapid apprehension of an alleged suspect in the hacker attack against the U.S. Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) last week. Less than a week after hackers boasted to the media about breaching government security at least one of the alleged perpetrators is now in custody.
According to Fox News, British officials arrested a 16-year-old male suspect in England on Feb. 12. That means that less than a week from the time the hackers boasted of breaching U.S. government security, that same government, working with its partners in the United Kingdom, was able to identity, locate and apprehend the attackers and has made at least one arrest.
When I first saw the report that hackers were boasting of breaching FBI security, I thought at first how remarkably brash it is for attackers to publicly taunt law enforcement. When there are such acts of bravado, typically, it comes from a high degree of confidence that there is little risk to one self, or that the breached party (in this case the FBI and DHS) are so impotent that they will be powerless to do anything.
As it turns out, U.S. law enforcement is anything but powerless, and the brash pronouncements of insecurity of the government agencies are a case study in hubris. In Greek mythology, humans are guilty of hubris when they challenge the deities of Olympus or when mortal pride challenges the power of an immortal, and ultimately, the humans end up being punished.
Certainly, U.S. law enforcement isn’t all-powerful and all-seeing; however, the U.S. government has vast resources, and Edward Snowden’s National Security Agency (NSA) leaks have further informed the general public about the information sharing and gathering practices of the United States and its allies, including the United Kingdom.
The FBI and DOJ breach disclosure were likely largely about embarrassing the power of U.S. law enforcement. After all, if the FBI is unable to defend its own information, how could it have the skills to find the hackers that were able to breach it? The basic narrative was that the attack follows in the footsteps of the massive U.S. Office of Personnel Management (OPM) breach that exposed information on 26 million Americans.
The OPM breach at this point appears to be the work of sophisticated attackers from China. The Chinese government has disavowed any direct connection and in December 2015 claimed to have arrested the Chinese hackers that breached OPM.
While there clearly were some obvious security lapses at the FBI and DHS that enabled the attacker to breach and steal information, it’s important to remember that the same people that set up and configure systems are not always the same that conduct investigations and arrest suspects.
It’s also important to note that this is the second time in three months that an arrest has been made in the United Kingdom after a hacker went to the media to boast about being able to exploit a vulnerable organization. In December, British authorities apprehended a 21-year-old suspect in connection with the breach of toy maker VTech that exposed 6 million parents and children to risk.
So the lesson for would-be hackers here seems to be clear: Just because an attacker is able to defeat the system, doesn’t mean that the organization that is responsible for that system cannot and will not respond. The extreme speed with which U.S. authorities have acted in this latest incident is proof positive that the long arm of justice will move fast to seek out hackers who taunt the FBI.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.