Another explanation for the high cost of cybercrime may be that it isn’t true. The Norton report numbers, for example, come from a survey of 12,704 adults and 4,553 children and 2,379 teachers between February and March 2011. Extrapolating from their responses, Norton not only came up with the $114 billion number, it also claimed that 431 million people were victims of Internet-related crime that year. But according to Dinei Florencio and Cormac Herley, researchers at Microsoft, to come up with these numbers Norton relied on the kind of statistical analysis used in exit polling, in which the sample is multiplied to get the whole, a method that does not translate because voter preferences and monetary losses can’t be calculated the same way. “Suppose we asked 5,000 people to report their cybercrime losses, which we will then extrapolate over a population of 200 million,” Florencio and Herley wrote in The New York Times last spring. “Every dollar claimed gets multiplied by 40,000. A single individual who falsely claims $25,000 in losses adds a spurious $1 billion to the estimate. And since no one can claim negative losses, the error can’t be canceled.”
Still, if upward estimates skew the numbers, so do absent estimates. It is now well documented that corporations and other institutions are reluctant to admit losses or acknowledge security breaches out of fear of alienating customers, seeing stock prices plummet, or encouraging lawsuits from those affected. After hackers broke into the computer system of the Wyndham Hotel chain three times in the past four years, making off with hundreds of thousands of credit card numbers, the company chose not to acknowledge the thefts to shareholders in its annual report. It was the same for Amazon, which failed to report a large-scale theft of customer data from its Zappos and 6pm clothing divisions, an oversight challenged by the Securities and Exchange Commission, which would like companies to be more forthcoming with such information. (The SEC can do no more than express such hopes. It has no statutory power here.)
Despite corporate reluctance, and possibly because of it, the courts have been engaged anyway. After a Russian syndicate stole around 6.5 million passwords from the social media site LinkedIn this past spring, one of the victims initiated a class action suit claiming not only that LinkedIn did not properly guard personal information, but that it purposefully withheld notice of the attack from those whose data was compromised. The passwords could be used to access users’ private information, including phone numbers, addresses, and professional history, and could often be used as well to access other online accounts such as e-mail or bank accounts, since many people use a single password for most of what they do online. Meanwhile, the Federal Trade Commission has brought a lawsuit again Wyndham World Wide, alleging that the company failed to protect its guests and asking the US District Court “to order Wyndham to stop deceiving customers about its information security practices and to order Wyndham to refund lost money to [them].”
As common as it has become for companies to keep cyberattacks under wraps, it is also the case that attacks are now so numerous and sly that businesses and other organizations are often unaware that their systems have been compromised. According to a study by the Internet technology company Juniper Networks, as reported in a publication called Homeland Security News Wire, “in the last year 90 percent of businesses had suffered at least one security breach.” And when Richard Bejtlich, the chief security officer at the American computer security company Mandiant, made inquiries, he and his colleagues found that 94 percent of his firm’s clients did not realize that their companies had been breached—in this case, apparently, by Chinese hackers looking for trade secrets and other information that might give them a business advantage. “In many cases, the skills of the adversaries are so substantial that they just leap right over the fence, and you don’t ever hear an alarm go off,’’ the FBI’s Shawn Henry told The Wall Street Journal.
Richard Bejtlich and his firm are what are known in the hacking world as “white hats” or “ethical hackers.” They use the tools of hacking to penetrate computer systems, find holes in their security, and, ideally, patch them. The good guys in the white hats are so keen not to be confused with the bad guys in the black hats that there is now a course of study offered by the International Council of E-Commerce Consultants to certify their ethical bona fides. This may be, in part, because a lot of the white hats used to be black hats. They have followed the lead of Kevin Mitnick, the man who, a generation ago, was the world’s most notorious black hat hacker, the bane of the FBI, who served five years in prison for breaking into telecom companies, government agencies (including, possibly, the National Security Agency), and academic institutions. Mitnick now runs his own white hat computer security firm and is paid good money to do what he used to do for kicks and the promise of an orange jumpsuit.
The breathless beginning of Mitnick’s latest memoir, Ghost in the Wires, has him breaking into a corporate computer network Mission Impossible–style. To do so he sneaks into the corporation’s offices using a fake ID, then has an assistant climb through a ceiling to let him into the offices of the network administrator, whose computer he then hacks into. He takes his time before letting readers know that his adrenalin-pumping hijinks are all on the up and up. Still, such assurances may not do much to dispel the public perception that all hackers are cut from the same cloth.
One reason it is hard to distinguish between, say, the hackers from Anonymous and the hackers from the Chinese military, and both of these from a nineteen-year-old in Georgia, is that hackers like it that way. Eager to follow the hikers’ dictum to “leave no trace,” they operate from behind proxy servers—intermediary computers between the hackers and their targets—that hide their own computers’ unique identifiers, making it nearly impossible to pinpoint where in the world they are. They also adopt online personalities that, typically, are more wishful than real, and they use monikers that are meant to deceive. (One of the more active members of the hacker group Anonymous who called herself Kayla and claimed she was a teenaged American girl was actually a British man in his twenties who had served four years in the army.) As Parmy Olson points out in her exhaustive and darkly entertaining chronicle We Are Anonymous, “individual personalities could emerge, but people still had no real-world identities.”
In his own research, Misha Glenny found it “impossible to establish fully what was really going on between the players, and with whom they were ultimately working.” This was not just a problem for outsiders like him. Even the “Anons” of Anonymous had little idea with whom they were working, according to Olson. Trust was contingent, and fleeting. When the hacker who went by the name Sabu started sharing personal information, revealing his actual name and hometown, a colleague of his in the Anonymous group, who went by the name Topiary, began to distrust him. It was inverted logic, but it turned out to be spot on. When the FBI announced in March that it had caught Sabu, it also revealed that he had been an FBI informant for the previous eight months, selling out his crew.
As Parmy Olson tells the story, Sabu, whose real name was Hector Monsegur and real address was a sixth-floor apartment in the Jacob Riis public housing project on New York City’s Lower East Side, embraced his new double role, going so far as to identify himself to a police officer as a federal agent, a claim that eventually got him more jail time.
While feeding information to the FBI, Monsegur continued to consort with other Anons, plotting raids that enabled federal agents to gather evidence that would ultimately implicate his “friends.” Under the watchful eye of the FBI, Anonymous was free to carry out its hacks, most notoriously a raid on the “global intelligence” company Strategic Forecasting—or Stratfor—according to Olson, “an Austin-based intelligence service that made money selling a newsletter to clients who included the Department of Homeland Security.” As the FBI looked on, the Anonymous hackers lifted 60,000 credit cards and passwords, which they then used to make nearly $1 million in donations to the Red Cross, Save the Children, and other charities. They also took over five million Stratfor e-mails, which they “donated” to WikiLeaks.
Among other things, the Stratfor e-mails revealed statements by Stratfor employees that the government was spying on US citizens and corporations were spying on union representatives and other activists. They also seemed to indicate that the United States was preparing a secret indictment against WikiLeaks founder Julian Assange.And so, the question arises: Which hackers were wearing the white hats here and which were wearing the black?
The various actions of Anonymous and its offshoots have included shutting down Sony websites twice (once to avenge Sony’s lawsuit against the young hacker who had “jailbroken” its PlayStation gaming console and once for supporting the Stop Online Piracy Act then before Congress),2 briefly shutting down the Web operations of both MasterCard and PayPal after those companies blocked donations to WikiLeaks and Julian Assange,3 and also shutting down the Scientology website in an effort to “expel it from the internet.” If there is a guiding principle to these actions, it is that “information deserves to be free.” It’s not so much freedom of information that’s involved as the freeing of information from organizations that control it.
To try to ascribe a more coherent political philosophy to a bunch of individuals who steadfastly reject coherence by their alliance with an organization that doesn’t exist, since it cannot be joined and doesn’t have members, not only would be folly, it would miss the current of nihilism that runs through Anonymous, whose primary allegiance, at least early on, was to the “lulz”—that is, to fun and games and laughs, no matter at whose expense. (This is where the name of one of the main Anonymous offshoots, LulzSec—derived from the Internet acronym LOL, Laugh Out Loud—comes from.) Why call each other “fags” and “niggers”? Why coerce people into performing sexual acts in front of a webcam by threatening to reveal information about them or to “find their true identities, send them threats on Facebook, or find their family members and harass them, too”? Why—because they think it’s funny to shock and humiliate.
Still, some of the same people who did these things also “liberated” the Stratfor e-mails, just as they hacked into the accounts of a venal government contractor, HBGary, and exposed, among other things, that this firm and several others had approached Bank of America with plans to attack and discredit WikiLeaks. (According to an online report by Forbes, they proposed using “forged documents, pressuring donors, and even blackmailing [a] WikiLeaks supporter.”) It was an Anonymous member, too, who wrote the program that allowed Tunisians to go online without government surveillance—a small bit of code that inadvertently catalyzed the Arab Spring.
2 It should be noted that the young hacker on whose behalf this attack occurred, George Hotz, disavowed it. In an interview with New Yorker reporter David Kushner (May 7, 2012) he said: “I’m the complete opposite of Anonymous. I’m George Hotz. Everything I do is aboveboard, everything I do is legit.” ↩
3 Upon which the group tweeted: “Freedom of expression is priceless. For everything else there’s MasterCard,” echoing MasterCard’s own iconic ad campaign. ↩
It should be noted that the young hacker on whose behalf this attack occurred, George Hotz, disavowed it. In an interview with New Yorker reporter David Kushner (May 7, 2012) he said: “I’m the complete opposite of Anonymous. I’m George Hotz. Everything I do is aboveboard, everything I do is legit.” ↩
Upon which the group tweeted: “Freedom of expression is priceless. For everything else there’s MasterCard,” echoing MasterCard’s own iconic ad campaign. ↩