DDoS in defense of (insert cause) is still criminal

By | February 13, 2012

Posted in: Enterprise DDoS Protection

Are hacktivists protesters or criminals? The question is not a matter of semantics; it has real bearing on how we respond, not as members of the security community, who are responsible for protecting IT information and services against attack, but as a society, particularly in the realm of criminal prosecution. My take is that distributed-denial-of service (DDoS) attacks and data breach hacks have to be treated as criminal acts, regardless of motive.

An article I read on CBC.ca, “4 signs 'hacktivism' has gone mainstream,” triggered my thinking on the subject, particularly quotes from Molly Sauter, a researcher at the Center for Civic Media at the Massachusetts Institute of Technology. She notes that the hacktivist group Anonymous, in particular, has generally launched its campaigns in support of its view of Internet freedom issues. The article makes the case that Anonymous has been effective in drawing attention to its causes, from support of WikiLeaks to opposition to SOPA (Stop Online Piracy Act) in the U.S. and ACTA (Anti-Counterfeiting Trade Agreement) in Europe. More amorphous motives were in play in a week of DDoS attacks against Brazil’s largest banks in protests against “the countless inequalities in the country.” Makes the aims and program of the Occupy movement clearly delineated by comparison.

Anonymous has the technical chops, easy-to-use, easily distributed tools (Low Orbit Ion Cannon or LOIC), and the communication skills to mobilize enough participants to launch effective DDoS attacks against selected targets. It also engineered several high-profile data breaches, perhaps most notably against the Sony PlayStation Network.

The article raises some concerns about prosecution of hacktivists, not only those most responsible for the planning and execution of attacks, but the thousands of less engaged participants. This concern was underscored during the attacks in retaliation to the Megaupload takedown, in which participants, many apparently without realizing what they were doing, launched DoS attacks simply by clicking on a web link.

Sauter raises concern about over-aggressive prosecution. Several people were arrested in connection with DDoS attacks related to the WikiLeaks. The broad language in the Computer Fraud and Abuse Act has given prosecutors too much latitude in pursuing felony charges in DDoS cases.

She argues, for example, that few of the Occupy protesters who were arrested have been charged or prosecuted, but that hactivists are being prosecuted on the same terms as criminals who use DDoS to extort money from online businesses. She is quoted:

"You are seeing prosecution of acts of digital activism that are being prosecuted as computer crimes, not as acts of political speech, which is chilling and, in my opinion, incredibly misguided."

From my perspective, motive may be a mitigating factor in sentencing, along with prior criminal record, the degree of a person’s involvement, etc. But let’s note a few points before we start equating DDoS and database hacking with peaceful protest.

We are not talking about marching down Main Street carrying signs and shouting in support of your cause.

We are not talking about civil disobedience. DDoS, whether you support the particular cause or not, is by definition disruptive and destructive. It costs the victim companies money and disrupts online services and access to information on commercial and/or government sites.

If, by some convoluted logic, you were to equate these actions with civil disobedience, it is essential to note that acceptance of the consequences of one’s actions is central to it. If I sit down in front of a bank entrance for example and refuse to move, I expect to be carried bodily and arrested.

Equating DDoS with the Occupy movement as a form of protest is bewildering. Except in those cases, such as Oakland, where street violence erupted, Occupy participants squatted in public parks with the tacit approval or at least sufferance of authorities for extended periods and, in most cases, disbanded peacefully or allowed themselves to be arrested.

DDoS is an overt, offensive activity. It is a digital Molotov cocktail. It’s not sitting in the bank doorway; it’s torching it. You may argue, if you like, that the ends justify the means, but let’s recognize the means for what they are: overt criminal activity that government has not only the right but the obligation to prosecute.

You May Also Be Interested In: