The Invisible Backhand: How Anonymous Has Already Won

The hacker group Anonymous has been on a tear lately, successfully hacking the Tunisian government, Sony, federal cybersecurity contractors, and after suffering from several raids, is now even eyeing the FBI.

It's an interesting era for extreme cyber activism, with the hacker community seemingly finding its voice and becoming very creative in extracting vengeance upon organizations it sees as oppressive. Much has been said about whether this is ethical, if Anonymous can maintain effectiveness, and how things will develop from here. But I think most commentators have missed the point:

Anonymous has already won. And it boils down to one word: insurance.

It looks probable that cybersecurity insurance will become required for many sorts of companies-- the proverbial cat is out of the bag, and even if Anonymous isn't behind the keyboard, so-called "ethical hacking" is likely to increase in popularity. Given this, it'll become as common to hedge your risk from hacking as it is to hedge your risk from fire or flooding. But insurance companies aren't dumb, and it's likely that the premium on cybersecurity insurance will strongly reflect how much of a high-profile hacker target a company is. Just like it's more expensive to insure a mud-foundation coastal house from hurricanes, so too it'll be more expensive to insure a company popularly seen as brazenly greedy against hackers. Companies will have a powerful and quantifiable incentive to not engage in activities that make them a target.

To put this a different way, sometimes companies do things that are legal but unethical. Vigilante justice can 'reinternalize' the externalized costs of these behaviors.

Granted, I'm not saying illegally hacking companies is a good thing, just that Anonymous has the potential to be a very potent market force. They could still snatch defeat from the jaws of victory by being capricious with their targets: if there's little correlation between deed and penalty, insurance premiums will be high across the board. It'll be interesting to see how things turn out.


AJ said...

Granted, I'm not saying illegally hacking companies is a good thing, just that Anonymous has the potential to be a very potent market force.

I'm trying to think of things that are *good* potent market forces these days. While there is a part of me that cheers on things like this (stick it to da man, etc.), I also have to realize that this can very easily be construed as "terrism [sic]" or maybe a source for racketeering conspiracy theories. Of course, I've always had that sort of feel from insurance companies. So many of them have a kind of have a Mafioso-esque feel to them: "That's a nice {car|house|health|baby|.*} you have there, it'd be a shame if something happened to it..."
So while this will be interesting to watch, it's with the same sort of unrest that I get when a law is passed to protect against terrorism.

DFrasier said...

This is a really interesting point Mike, and you are right in that the greater the difference in cost of insurance between those that are acting ethically and those that aren't, the better. Of course, this all begs the question, do we want LULZ and Anonymous deciding what are ethically correct business practices and what aren't. Effectively, at some point, we decided that small bands of people weren't going to be allowed to be legislator, judge and jury in the US. Instead we would have municipalities/state/federal governments define our ethical environment. This sorta decentralizes that. Every psycho out there that has every perpetuated a mass atrocity has done it in the name of enforcing his/her moral code that the government refused to. However, you are right. This is where we are today. Now to stay effective the threat has to stay on point and VERY REAL. It won't take long without attacks for prices to start adjusting. As an interesting aside, a future market on cyber attacks on specific companies would provide both an insurance/hedging mechanism for corporations and a market induced probability assessment( which have been shown to be very prescient) of the likelihood of attack on any one company. One of these for terrorist attacks was attempted but was shut down on the notion it was simply too morbid.

D-troll said...

From what I've seen (and I've by no means been actively keeping track of things), every target hit so far has had laughable IT security. You know the kind I mean, designed to meet some inane certification-requirement or to allow the generic PHB to check an item off his list, without actually accomplishing anything.

Rather then 'Cyber Insurance' (god I hate that word) premiums going up, and coverage being seen as just another cost of doing business, I hope that companies will start looking implementing proper security measures, rather then hand-waving it away as we've all seen done in the past.

It's not a complete solution, but it would go a long, long way towards discouraging this sort of vigilante hacking, by raising the bar significantly in terms of the skills needed to successfully pull it off.

Mike said...

I gotta agree that it's a problematic situation having any non-accountable group decide what's ethical and what's not. And I think it'll be interesting following all these lawsuits against Sony (who had evidently skimped on security and laid off a bunch of security people before the hack).

Interesting times...

Rose Arrowsmith DeCoux said...

Very interesting, Mike. I'm reminded of our visit in CA and all the stuff that came up in conversation that I don't usually think about. I think you have a very good point, which gives hackers some Robin Hood potential (that I'm guessing won't really materialize).

Invisible Backhand said...
This comment has been removed by a blog administrator.