FBI Warns Hacktivists: You're Breaking the Law

Last July, the FBI executed what is arguably its most public campaign against hacktivists--individuals who breach computer systems to make a political or ideological statement. On Tuesday, July 19, the G-men cuffed 12 men and two women allegedly associated with hacktivist group Anonymous for their supposed involvement in a dedicated denial of service (DDoS) attack against PayPal's website in December 2010.

The July raid appeared to be the largest public indication that the FBI was finally making headway in its investigation of hacktivist activity during a year when groups including Anonymous and LulzSec made a mockery of public- and private-sector computer systems. Between December 2010 and August 2011 alone, they broke into dozens of corporate and government networks with outrage, defiance and glee.

In fact, hacktivist activity had long been on the FBI's radar, according to Shawn Henry, executive assistant director of the FBI's Criminal, Cyber, Response and Services Branch. He first noticed it in the late 1990s, when he was working as a supervisory special agent at FBI headquarters on computer intrusion cases. At the time, hacktivism consisted mostly of website defacements, he says. Today, it's more menacing. Consider the outcomes of just three data breaches launched in the name of hacktivism:

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Last July, the FBI executed what is arguably its most public campaign against hacktivists--individuals who breach computer systems to make a political or ideological statement. On Tuesday, July 19, the G-men cuffed 12 men and two women allegedly associated with hacktivist group Anonymous for their supposed involvement in a dedicated denial of service (DDoS) attack against PayPal's website in December 2010.

The July raid appeared to be the largest public indication that the FBI was finally making headway in its investigation of hacktivist activity during a year when groups including Anonymous and LulzSec made a mockery of public- and private-sector computer systems. Between December 2010 and August 2011 alone, they broke into dozens of corporate and government networks with outrage, defiance and glee.

In fact, hacktivist activity had long been on the FBI's radar, according to Shawn Henry, executive assistant director of the FBI's Criminal, Cyber, Response and Services Branch. He first noticed it in the late 1990s, when he was working as a supervisory special agent at FBI headquarters on computer intrusion cases. At the time, hacktivism consisted mostly of website defacements, he says. Today, it's more menacing. Consider the outcomes of just three data breaches launched in the name of hacktivism:

• LulzSec's hack into Sony's PlayStation network in April 2011 is reportedly expected to cost Sony $171 million by the end of the entertainment company's 2012 fiscal year.

• When Former HBGary Federal CEO Aaron Barr threatened to expose top members of Anonymous, the hacktivist group retaliated by breaking into the security company's systems and exposing controversial and confidential emails. Barr subsequently received death threats and was forced to step down from his job.

• After Anonymous broke into the member database for Bill O'Reilly's website, a woman who's name, email address, physical address and password were exposed during the breach suffered $400 in fraudulent credit card charges and huge amounts of embarrassment after hackers posted pornographic pictures to her Facebook page and sent pornographic emails via her AOL account, according to Ars Technica.

Henry maintains that the FBI isn't motivated by hacktivist groups' ideological agendas. What matters most to the FBI, he says, is that these groups are breaking the law.

"When anybody breaches a network and steals data and then publicizes it--whether they're from a foreign country and they're using the data to help their country's industry, they sell it as an organized crime group, or they just display it because they think the company they stole it from is acting inappropriately--the fact that the data is stolen is a violation of federal law," he says, his voice rising with conviction. "Hacktivism is no different from organized crime groups or foreign governments. It's the exact same activity, perhaps done for a different reason or purpose, and it's all still illegal."

In this exclusive interview with CIO.com, Henry speaks for the first time with the media specifically about hacktivism. Though Department of Justice guidelines prevented him from discussing specific hacktivist groups and open cases, he describes the threat hacktivists pose, the challenges associated with investigating them, and the FBI's success disrupting these groups. He also has a special message for hacktivists.