What LulzSec teaches us about hacktivism

They only engaged in their cyber wilding for 50 days. But, boy, did members of the hacktivist group Lulz Security get their money’s worth when it comes to media attention. They garnered lengthy coverage in the mainest of the mainstream and the geekiest of the trade press for their attacks on websites belonging to the CIA, U.S. Senate, an Arizona law enforcement agency, Sony, and a host of other government and corporate entities around the world.

The self-claimed six people behind LulzSec, apparently a splinter group of the hacktivist collective Anonymous, announced at the end of last month — via Twitter, of course — that their operation was over. What they didn’t mention was whether they were shutting down because they were feeling the heat from law enforcement agencies, which have arrested one British citizen with an alleged connection to the group and questioned many others in the United States and elsewhere.

So what are we to make of LulzSec’s trail of crippled and defaced websites, stolen passwords, and public posting of private and sensitive information intended to intimidate and shame? There are at least a few points to note.

1. Government agencies are big, fat targets.

The muddy manifestos and make-it-up-as-they-go-along tactics of groups like LulzSec indicate that these are crimes of opportunity against carelessly vulnerable targets more often than they are the product of a cogent political philosophy. On a particular day, hacktivists might target a big media company, such as Sony, because of its efforts to curb copyright infringement. But any day is apparently a good one to attack a government agency. PC Magazine’s Chloe Albanesius reports that the group Anonymous has vowed to carry on the work of LulzSec and said its data theft and outing efforts would primarily target “corrupt Governments (in our world this is all Governments) and corrupt companies."

2. Hackers love social networking, too.

Social networking is the new tool in the public relations-savvy hacker’s bag of tricks. The LulzSec Twitter feed had an impressive 283,000 followers by the time the group went silent, changing hacktivism forever, writes Damon Poeter in PC Magazine. “The final ingredient in the group's success was simple,” Poeter writes. “LulzSec delivered. During its 50-day run, LulzSec alerted the public to a high-profile hack, Web page defacement or site takedown about once every three to four days.”

3. Hacktivists are their own worst enemies.

Hacktivists are a boastful, egotistical bunch. They are also prone to professional jealousy. It doesn’t add up to a desirable profile for a stable professional life. “Their Achilles’ heel is they want attention,” Rob Rachwald, director of security strategy at Imperva, told Government Computer News’ William Jackson. However, the interest of law enforcement is not the only kind of attention hacktivists need to worry about attracting. Adam Martin of The Atlantic Wire put together a list of LulzSec detractors, ranging from an ex-military hacker to former LulzSec associates who have been trying to identify and publicize the group’s key members.

4. Some defensive responses will be easier than others.

Many of the hacktivists’ government victims have only themselves to blame because they should have assumed that they would be targets and because they did not have adequate defenses in place against well-known cyber threats, according to GCN’s Jackson. There is no good reason why those vulnerabilities cannot be addressed.

But developing policies and laws that protect free speech and association in the uncharted and highly combustible territory that is the Internet is a much trickier and complicated task. Greater government control of cyberspace will only further radicalize hacktivists and dampen the Internet’s potential as a tool for liberty, writes Loz Kaye, leader of Internet freedom advocacy group Pirate Party UK, in the Guardian. “We've reached a critical juncture: Either we sail headlong into escalating confrontation, or we attempt to change tack and reduce the tension by finding a democratic way forward,” Kaye writes.

That prospect makes installing a software security patch seem pretty easy by comparison, doesn’t it?