The Invisible Backhand: How Anonymous Has Already Won

July 31, 2011  |  Uncategorized

The hacker group Anonymous has been on a tear lately, successfully hacking the Tunisian government, Sony, federal cybersecurity contractors, and after suffering from several raids, is now apparently eyeing the FBI.

It’s an interesting era for extreme cyber activism, with the hacker community seemingly finding its voice and becoming very creative in extracting vengeance upon organizations it sees as oppressive. Much has been said about whether this is ethical, if Anonymous can maintain effectiveness, and how things will develop from here. But I think most commentators have missed the point:

Anonymous has already won. And it boils down to one word: insurance.

It looks probable that cybersecurity insurance will become required for many sorts of companies– the proverbial cat is out of the bag, and even if Anonymous isn’t behind the keyboard, so-called “ethical hacking” is likely to increase in popularity. Given this, it’ll become as common to hedge your risk from hacking as it is to hedge your risk from fire or flooding– whenever risk reveals itself, there’s a huge drive to securitize it. But insurance companies aren’t dumb, and it’s likely that the premium on cybersecurity insurance will strongly reflect how much of a high-profile hacker target a company is. Just like it’s more expensive to insure a coastal home from hurricanes, so too it’ll be more expensive to insure a company popularly seen as brazenly greedy against hackers. Companies will have a powerful and quantifiable incentive to not engage in activities that make them a target.

To put this a different way, sometimes companies do things that are legal but unethical. Vigilante justice can ‘reinternalize’ the externalized costs of these behaviors.

Granted, I’m not saying vigilante justice is a good thing– often it’s not– just that Anonymous has the potential to be a very potent market force. The greater hacking community could still snatch defeat from the jaws of victory by being seen as capricious with their targets: if there’s little correlation between deed and penalty, insurance premiums will be high across the board. It’ll be interesting to see how things turn out.

Edit, 8-22-11: Corporate decision-making is subject to numerous internal and external market-driven evolutionary forces which, despite any sentiments of specific corporate officers or token charitable bones thrown to society, make corporate behavior trend toward the psychopathic. Psychopaths understand self-interest, power and consequence– and you can’t change someone’s mind if you don’t speak their language.

On this vein, though I can’t personally endorse this creed, I’m reminded of this quote (from a fictional work) about vigilante justice:

The personal, as everyone’s so fucking fond of saying, is political. So if some idiot politician, some power player, tries to execute policies that harm you or those you care about, take it personally. Get angry. The Machinery of Justice will not serve you here–it is slow and cold, and it is theirs, hardware and soft-. Only the little people suffer at the hands of Justice; the creatures of power slide out from under with a wink and a grin. If you want justice, you will have to claw it from them. Make it personal. Do as much damage as you can. Get your message across. That way you stand a far better chance of being taken seriously next time. Of being considered dangerous. And make no mistake about this: being taken seriously, being considered dangerous, marks the difference–the only difference in their eyes–between players and little people. Players they will make deals with. Little people they liquidate. And time and again they cream your liquidation, your displacement, your torture and brutal execution with the ultimate insult that it’s just business, it’s politics, it’s the way of the world, it’s a tough life, and that it’s nothing personal. Well, fuck them. Make it personal.

The cyberpunk creed as put by Quellcrist Falconer, a character in┬áRichard K. Morgan’s Altered Carbon.



5 Comments


  1. Granted, I'm not saying illegally hacking companies is a good thing, just that Anonymous has the potential to be a very potent market force.

    I'm trying to think of things that are *good* potent market forces these days. While there is a part of me that cheers on things like this (stick it to da man, etc.), I also have to realize that this can very easily be construed as "terrism [sic]" or maybe a source for racketeering conspiracy theories. Of course, I've always had that sort of feel from insurance companies. So many of them have a kind of have a Mafioso-esque feel to them: "That's a nice {car|house|health|baby|.*} you have there, it'd be a shame if something happened to it…"
    So while this will be interesting to watch, it's with the same sort of unrest that I get when a law is passed to protect against terrorism.

  2. This is a really interesting point Mike, and you are right in that the greater the difference in cost of insurance between those that are acting ethically and those that aren't, the better. Of course, this all begs the question, do we want LULZ and Anonymous deciding what are ethically correct business practices and what aren't. Effectively, at some point, we decided that small bands of people weren't going to be allowed to be legislator, judge and jury in the US. Instead we would have municipalities/state/federal governments define our ethical environment. This sorta decentralizes that. Every psycho out there that has every perpetuated a mass atrocity has done it in the name of enforcing his/her moral code that the government refused to. However, you are right. This is where we are today. Now to stay effective the threat has to stay on point and VERY REAL. It won't take long without attacks for prices to start adjusting. As an interesting aside, a future market on cyber attacks on specific companies would provide both an insurance/hedging mechanism for corporations and a market induced probability assessment( which have been shown to be very prescient) of the likelihood of attack on any one company. One of these for terrorist attacks was attempted but was shut down on the notion it was simply too morbid.

  3. From what I've seen (and I've by no means been actively keeping track of things), every target hit so far has had laughable IT security. You know the kind I mean, designed to meet some inane certification-requirement or to allow the generic PHB to check an item off his list, without actually accomplishing anything.

    Rather then 'Cyber Insurance' (god I hate that word) premiums going up, and coverage being seen as just another cost of doing business, I hope that companies will start looking implementing proper security measures, rather then hand-waving it away as we've all seen done in the past.

    It's not a complete solution, but it would go a long, long way towards discouraging this sort of vigilante hacking, by raising the bar significantly in terms of the skills needed to successfully pull it off.

  4. I gotta agree that it's a problematic situation having any non-accountable group decide what's ethical and what's not. And I think it'll be interesting following all these lawsuits against Sony (who had evidently skimped on security and laid off a bunch of security people before the hack).

    Interesting times…

  5. Very interesting, Mike. I’m reminded of our visit in CA and all the stuff that came up in conversation that I don’t usually think about. I think you have a very good point, which gives hackers some Robin Hood potential (that I’m guessing won’t really materialize).
    Rose

Trackbacks

  1. On OWS, fairness, and why we’re all screwed | Opentheory.net
  2. On OWS, fairness, and why we’re all screwed | Opentheory.net

Leave a Reply