DDOS attacks are being mounted with growing ease, StrategicRISK scans the battleground

When we highlighted the danger of thinking traditional legal remedies could be applied to allegations made online a year ago, (Don’t Reach for the Lawyers, December 2009), we could not have foreseen that 2010 would end with the US Government battling it out with the proponents of free speech following the publication of confidential diplomatic cables on the whistle-blowing website, Wikileaks. Our judgement of the risk remains the same; the Federal Department of Justice may win some legal battles, but they are likely to lose the war. And this particular war may have far-reaching consequences.

To recap: On January 7th this year, it emerged that the US Department of Justice had obtained a court order demanding that the social network site, Twitter, hand over details of a number of people with ties to Wikileaks, among them Icelandic parliamentarian Birgitta Jonsdottir, and had accompanied it with a gagging order into the bargain. Twitter challenged the gag, and won, allowing it to notify the named users that their data had been requested and giving them time to prepare a counter-action. Wired magazine’s comment that ‘by standing up for its users, Twitter showed guts and principles’ was echoed globally by the network’s users. As a direct result, the US ambassador to Iceland was called in to explain why Jonsdottir’s details were being sought. Bloggers are now keen to know whether Facebook and Google received similar court orders and if so, why they had remained unchallenged.

Immediately before releasing the series of leaked cables, Wikileaks suffered several DDOS (distributed denial of service) attacks which succeeded in putting the website temporarily offline. In an apparent act of revenge, sites which had refused to support Wikileaks were targeted in return, with Mastercard being briefly forced offline and Amazon.com also targeted. The ‘hacktivist’ group Anonymous, which has hitherto mostly confined its actions to anti-pirate organisations and the church of Scientology, is widely believed to have had a hand in these attacks, dubbed ‘Operation Payback’.

There are two disturbing trends at work here. One is the polarisation of opinion over the US Government’s actions following the Wikileaks revelations. The second is the growing ease with which DDOS attacks can be mounted. Risk Managers who are not familiar with the Low Orbit Ion Cannon (LOIC), might wish to track it down. This downloadable program allows a user with virtually no technical knowledge to conduct DDOS attacks – and sites are starting to appear where you can just point and click…..and the website of your chosen target begins to suffer overload. The spread of similar user-friendly technologies means that the risk of cyber-attack will no longer be confined to sophisticated hacking attempts. Increasingly, anyone out to make mischief will be able to find the means to do so. Already the ironic vocabulary beloved of the web is tagging such disruptive behaviour ‘online riots’.

The reason why the Wikileaks affair matters here, is that it is driving concerned social network users to the perception that their privacy may not be safeguarded by the websites they use if government lawyers step in. While this has long been known to be the case in many countries, users mostly felt that the big US-based social networks, such as Twitter or Facebook, were safe enough in the land of free speech. Increasingly, this is no longer the case. As The Guardian put it: “President Obama has urged repressive regimes to stop censoring the Internet, yet a bill before Congress would allow the attorney general to create a blacklist of websites. Is robust democracy only good when it’s not at home?” The hostile reaction to Amazon’s and Paypal’s willingness to disown Wikileaks by refusing to host its servers or pass on donations shows that this opinion is widely shared.

So, we have reached a point where concerns about online privacy are growing at the same time as ‘revenge’ technologies are becoming more widely available. Consumers already expect websites to handle their personal data carefully, but they will now be increasingly concerned as to how far website owners will be prepared to stand up to the authorities on their behalf. Commercial organisations may find themselves having to tread very carefully in deciding where their loyalties lie. Even if you just want to sell stuff on the web, or keep a loyal following of brand junkies on your Twitter feed, some political controversy, or single-issue cause may bubble up from nowhere and your organisation will need to decide whose side it is on. Do you defend your customers’ right to privacy at all costs, or do you cave in to the first legal demand? Organisations will be caught between a rock and a hard place. On the one hand lies a hostile battery of lawyers, possibly backed by government fiat; on the other a network of citizens prepared to take your website down or trash your reputation if they feel betrayed.