By Jarek Czechowicz
“It is not a man’s duty, as a matter of course, to devote himself to the eradication of any, even the most enormous, wrong; he may still properly have other concerns to engage him; but it is his duty, at least, to wash his hands of it, and, if he gives it no thought longer, not to give it practically his support.”
Henry David Thoreau, Civil Disobedience.
(Thoreau coined the term “civil disobedience”)
A powerful and growing protest movement is challenging governments and corporations. Using computer technology, internet activists known as “hacktivists” have been staging cyber-attacks since the mid-1990s. When small disruptions to electronic commerce can have an economic effect measured in billions of dollars, the threat to organisations is great.
The term hacktivist is derived from the words hacker and activist; a hacker being someone who unlawfully gains access to information held on the computers of others. The electronic civil disobedience of hacktivists tends to be motivated by human-rights issues.
In April 2002, the West Australian auditing firm KosterWorthy & Associates discovers that the Web sites of several clients have been interfered with. It becomes clear that these businesses have been selected because of their association with KosterWorthy. The firm subsequently discovers that the problem is linked to GenRet Superannuation, a retail super fund, to which KosterWorthy is a supplier.
By mid-April, the cyber-attacks have escalated and media interest reveals that GenRet considers the problem to be serious. Behind the scenes, GenRet contracts additional e-security teams. They scramble to track the source of cyberattacks on several of GenRet’s service providers, including its banker, solicitor and insurer. The attacks are not limited to GenRet’s professional contacts. The targets include anyone related to GenRet within three degrees of separation, including family and friends of GenRet employees and associates.
At an emergency board meeting, GenRet’s chief financial officer, Ken Kirby, says his daughter’s nursery business Web site has been hacked. “Her home page now reads: ‘In 1998, a United Nations Human Development Program report stated that 26% of the world’s people account for 86% of spending for personal consumption. You can stop RockTop Mining! Don’t associate with GenRet!’ ”
Legal officer Noel Murray presents another defaced page that appeared on the Web site of the school his son attends. The Web page message reads: “Lumawa is a small country in South- East Asia. RockTop Mining is polluting Lumawa’s rivers with more that 150,000 metric tonnes of tailings a day. This waste is contaminated with heavy metals that poison the rivers, the land and the food supply of the people. If this were happening in your suburb or your city, you would want it stopped. Stop supporting Rocktop Mining. Ask people to withdraw their funds from GenRet Superannuation Fund. This message does you no harm, but RockTop’s defilement of indigenous people and their land is criminal.”
Looking around the room, Murray continues: “This event has become the topic of a school project on electronic civil disobedience and my son wants to know why I work for this company. I’ve been invited by his teachers to address the kids and explain to them how these things work. Multiply this by thousands of similar developments, and you get an idea of what’s about to happen.”
The picture almost complete, Kirby ends with an ominous e-mail that says: “How are you going to stop 500,000 individuals and countless bots from interfering with your operations?” “What’s a bot?” asks GenRet chief executive and former diplomat Ross Peters, whose voice often makes his associates want to clear their throats on his behalf. Peters is pleased to be nearing the end of his term. He has joked that it is a “hardship post” because, despite positive trends in Australia, global industry performance has been low for too long.
After a light cough, Murray says: “A bot is a software robot in cyberspace that carries out programmed tasks – which could include attacks on Web sites.” “Well, we won’t be intimidated by a bunch of key-tapping computer geeks,” Peters declares, remembering too late that GenRet is full of IT and e-security people. He chuckles inwardly at the thought that any one of them could be a hacktivist. He has never felt comfortable with computers and computer people. Kirby interrupts: “I just got a signal that our meeting with Ahern Security is about to start. Murray knows them; they’re on the job now, and Ahern was consulting on our e-security for some months before all this happened.”
The executives move into the dining room to meet Des Ahern over a late lunch.
“What are our options?” Peters says as they walk.
Dr Allan Birch, non-executive director and IT specialist, says: “The hackers have supplied everyone with all the contact details they have collected, so people have been talking among themselves trying to make sense of what’s going on. At this stage, some people are saying they don’t want to deal with GenRet. Others are saying that GenRet needs to come up with some kind of security umbrella.”
“What do you mean?”
“Well, they are saying we should contribute to the improvement of their security, as they are being targeted because of GenRet.”
Murray interjects: “That’s absurd. The real problem is that these attacks are aimed at our business and personal relationships and it’s forcing us into a media circus. We should be fighting this with a PR campaign, not with e-security.”
Birch continues: “Maybe you’re right. E-security is designed to keep data and transactions safe and accessible to authorised personnel; it’s not designed to ward off a social movement.”
The conversation stops as management settles in to hear Des Ahern.
Ahern starts with a short presentation on hacktivism. “Hacktivists can be based anywhere,” he says in his characteristic quiet tone. “They can operate from home, an office or on the road with a laptop and a mobile phone. They can attack from any direction. They generally aim to disrupt the flow of data, incapacitate servers, hijack Web sites, divert traffic to other Web sites and deploy e-mail bombs and viruses. A hacktivist can be anyone from an astrophysicist to a retiree, or a student. They can initiate a bot attack with the click of the mouse as they go off to lunch.”
Peters mumbles: “Any half-wit could jump on this hacktivist bandwagon.”
Ahern continues: “And they do.
Doesn’t a similar thing happen when self-appointed vigilantes identify themselves with causes with which they have little or no real association? Don’t investors do a similar thing when they buy shares without understanding the implications of their holdings?”
Peters declines to be drawn on those analogies. Murray smiles – he knows that Peters was not expecting such a comment.
After the meeting, Murray seeks out Peters and says: “We need to rethink this operation. Perhaps it’s time to review our portfolio and look at how our economic returns could generate the types of social return that would prevent this kind of disruption. It could be our most economical option. We certainly wouldn’t be the first organisation to …”
Peters isn’t listening, he is too busy wondering whether outsourcing all the IT and e-security was a good idea and he is concerned that there isn’t much time to prepare a PR campaign. Murray’s ideas don’t get a proper hearing and it seems there is no time to map out scenarios at this stage.
After six weeks of attacks, an organisation called Chaotech claims responsibility.
Two hacktivists, WandaWoman and SoupaGirl, provide a glimpse of the collective. Chaotech describes itself as a cyberspace solidarity movement for human rights. Apparently, it has no hierarchy and most operatives are unknown to each other. Leadership is provided intermittently by various individuals who are recognised and respected through their work.
Seven more weeks of attacks and disruptions force GenRet to divest itself of interests in RockTop Mining. A media release from SuRGe, a prominent social reform group, states that the actions of Chaotech, coupled with some reckless media coverage, have created fear in the community that could undermine other important campaigns for social change.
In July, a GenRet spokesman says the super fund will review its investment strategies as soon as it completes a security review. In August, GenRet claims that its ability to trade has been seriously compromised by the cyber-attacks. Gen- Ret is on the verge of collapse.
High levels of e-security make e-businesses less functional. How would this affect GenRet? As global information increases, data filtering becomes more important. In what ways did GenRet fail to use available knowledge? Was GenRet using its best option by responding to Chaotech’s cyber-attacks with e-security? How would GenRet’s transformation into an socially responsible investor affect its e-security requirements and its moral obligations?
Proposed Solution #1
e-Varsity is a private e-learning company that offers instructional and educational design to universities and companies. Its services extend to content management, multimedia development, video streaming and e-commerce applications
Any company that conducts its business in a distributed information environment, which includes just about every company using the Web and e-mail to develop relationships with suppliers, clients or partners, needs at least two levels of security in place.
At the first level, it is vital that a company identify the full extent of risks associated with conducting business, before developing strategies to manage such risks – a thorough “vulnerability audit”, if you will.
At the second level, and as part of a comprehensive risk management strategy, it is vital that all those who have any relationship with the company – whether employee, client, partner or supplier – are informed of the nature of that company’s operations. It is crucial that a company not seek to hide its business relationships or practices. To do so simply provides a means of hitting that company, and possibly a reason.
In the same sense, it is equally important for a company to live by business principles that are likely to facilitate sustainability.
It is not unusual for companies these days to seek to meet the “triple bottom line” (TBL). This focuses corporations not just on the economic value they add but also on the environmental and social value they add – or destroy.
At its narrowest, TBL is used as a framework for measuring and reporting corporate performance against economic, social and environmental parameters. At its broadest, the term is used to capture the whole set of values, issues and processes that companies must consider if they are to minimise harm resulting from their activities and create economic, social and environmental value. This involves being clear about the company’s purpose and taking into consideration the needs of all stakeholders: shareholders, clients, employees, partners, governments, local communities and the public.
It is also probably of value to consider that computer and internet security are a specialist’s domain. Certainly, many companies have been left vulnerable simply as a result of the proliferation of internet connectivity and of internet technologies being in a state of flux and growing sophistication. Once this is understood, the question becomes whether to increase security expertise in the company or to outsource.
GenRet has favored employing a managed security service from a specialist company (Ahern Security). But the extent of those services is not clear – the investment made in them, or the completeness of the work Ahern has already done.
There is a general lack of understanding among many managers of the pervasiveness and seriousness of today’s security threats; and this includes Ross Peters of GenRet, judging from the comments he makes. Consider a recently published list by the SANS (SysAdmin, Audit, Network, Security) Institute (www.sans.org/), that notes the seven worst security mistakes senior executives make:
1. Assigning untrained people to maintain security and failing to provide the training or the time to learn the job.
2. Failing to understand the relationship of information security to the business problem.
3. Failing to deal with the operational aspects of security – making a few fixes but not ensuring that the problems stay fixed. 4. Relying primarily on a firewall.
5. Failing to realise how much money their information and organisational reputations are worth.
6. Authorising reactive, short-term fixes, thereby allowing the problems to re-emerge rapidly.
7. Pretending a problem will go away if they ignore it.
In GenRet’s case, the problems stem from a confused attitude to its business practices; a lack of understanding of the risks inherent in those practices, and how to manage those risks; and a CEO who fails to embrace information security as a vital component of management, forgetting that it is not possible to manage what is not understood.
Even after the first attacks have occurred, the fallout can be contained. The company was subjected to hacktivism, or cyber-terrorism, where the internet is used as a tool of propaganda and misinformation in support of a political or social goal. Since it is propaganda rather than destruction that is in the minds of the cyber-terrorists, it is possible for GenRet to counter their adversaries’ thirst for public disinformation. GenRet’s answer to the first attacks should have been swift and decisive. First, it needed to plug the holes and put into place measures to track the perpetrators of the attacks. This is entirely feasible, notwithstanding the views to the contrary of Noel Murray, GenRet’s legal adviser.
Second, GenRet might have tried to defer the attacks by appealing to the cyber-terrorists themselves at the outset. This might have led to GenRet meeting the demands of the foe, but it might also have bought valuable time to enable GenRet to take measures to track and identify the attackers, and to put in place the means of rendering the attacks less effective. Third, it should be recognised that many “hack attacks” occur with insider knowledge. It is reasonable to suppose that GenRet’s attacks occurred with the support of an employee who had access to the sort of information that had been turned against the organisation. This should be investigated.
GenRet’s problems arise because of inadequate management, consequent poor security and a lack of understanding as to how to recover from the initial attacks.
Proposed Solution #2
Steve White, LL.B, B.Sc, MACS, is principal of White SW Computer Law. He has 17 years’ experience in the IT industry in Australia, is a qualified arbitrator and mediator, and is an accredited specialist in commercial litigation.
The scenario presents numerous problems for the management of GenRet. The options available to GenRet seem to be:
- Concede to the unlawful demands and interference in its business by the activists.
- Improve security.
- Commence legal action.
- Commence a vigorous PR campaign.
GenRet needs to put together a sensible business plan to resolve the problem. The first step is to consider each option in turn after considering management’s legal obligations.
The obligations of the management are clear. Each officer is obliged to ensure that GenRet is conducted in manner that directly benefits its shareholders in accordance with law. Further, by virtue of its business as a superannuation manager, GenRet and its officers have fiduciary obligations to the beneficiaries of those superannuation funds.
Those obligations involve, among other things, putting the interests of GenRet and its beneficiaries before the officers’ own interests. This would extend to the consideration of any political views of officers of GenRet as to whether a certain kind of investment or relationship was in their individual view good on a moral basis. The situation would be slightly different if the corporation advertised its investment policy to its beneficiaries as a socially responsible investment and indicated the areas in which it proposed to invest, notwithstanding that they might not be the most profitable available. For example, if GenRet advertised that it did not invest in nicotine or alcohol products, it would be under an obligation not to make such an investment, even if it turned out to be profitable.
The Corporations Act also gives some guidance in this regard. Some of the relevant sections are:
- S.180: Care and diligence – civil obligation only.
- S.181: Good faith – civil obligations.
- S.182: Use of position – civil obligations.
- S.183: Use of information – civil obligations.
- S.184: Good faith, use of position and use of information – criminal offences.
Option 1: Concession
This option would not seem to discharge the officers’ obligations to GenRet or the beneficiaries. It involves GenRet taking an investment path that is clearly not in the best interests of GenRet or the beneficiaries.
Accordingly, the officers who made the decision to divest the organisation of RockTop without a proper investment strategy are clearly exposed to suit.
Option 2: Improve security
GenRet’s security is inadequate and places it at serious risk of suits from the beneficiaries of the superannuation trust fund for failure to protect the confidentiality of those parties and the investments of the fund. Whatever the level of security GenRet has – if the conduct of which GenRet complains is actually occurring – it is inadequate.
The suits might be, among others, breach of confidence, negligence, breaches of specific superannuation legislation against GenRet, and, potentially, against the officers (by Gen- Ret) and against GenRet (by beneficiaries). Further allegations could be made should it be discovered that an employee or former employee is responsible for the breach.
Option 3: Legal action
Before any legal action is commenced, it has to be ascertained what the objectives are.
There are two sorts of legal action: criminal and civil. Which one is used ultimately depends on the outcomes that GenRet seeks.
Possible criminal charges include computer trespass and offences relating to damage of Web sites and criminal defamation. The possible outcomes are imprisonment and fines. A secondary objective is compensation. Its scope and conduct is usually determined by the police and the Department of Public Prosecutions.
The possible grounds for civil action include breaches of the Corporations Act, breach of confidence, breach of fiduciary duties, breach of contract, defamation and the tort of inducement to breach contract. The primary purpose would be injunctions and compensation.
A primary problem in this case is identification of the defendant. Until all appropriate enquires are made as part of Option 2, and logs are located to determine some starting point for information that may lead to the identification of the defendant, these suits cannot be commenced.
Option 4: PR campaign
This is a matter that requires careful consideration. Bad press to which no response is received will probably die unless the public has a particular interest in it.
Accordingly, any PR campaign should be carefully considering after applying the business judgment rule set out above.
GenRet’s situation is woeful on several fronts, requiring urgent attention by management. There are no easy solutions, but the organisation is entering a legal minefield simply because it can’t get its IT infrastructure in order. Whatever the solution, it will need careful deliberation. www.computerlaw.com.au