Another story by Mudge is about how blurred and poorly worded statements of the Government agencies can pull off cyber attacks by movements like Anonymous.
And there were some confused conversations going: “Oh, why isn’t anybody upset if you treat cyberspace as a domain?” You know, there wasn’t that much upset with treating “space”, and nobody lives in cyberspace, which you could kind of only hear inside the Government, a statement like that. Because if you think about it, we all live in cyberspace. And the hacker researcher community made cyberspace – I’m really not a fan of that word – made the Internet and online our homes well before the Government and everybody else kind of made it just where they always lived and did everything in. So, if you send a message that that’s somebody’s backyard and that you’re going to militarize and prep for war in somebody’s backyard, that can sound really scary, and it can galvanize folks to respond.
One of the problems was there was not an understanding as to who the message was actually intended for. So, in addition to treating it as a domain they said something else, which was – and I’m paraphrasing – in response to hacks, we will consider responding with kinetic force. So, if you don’t actually specifically call out who the recipient of the message is, everybody reading it thinks it’s directed to them. I read it. I thought it was directed to me. And I’m going, like: “What the heck?! You know, I joke my buddy and I replace his HTML, the main web page, and that’s considered a hack and all of a sudden I’ve got launching a Patriot missile at me? This makes no sense. What level of hack? Because if we look at, like, CFAA response, maybe they actually think a Patriot missile is the right thing for defacing a website. I don’t know.”
And none of these are the right questions, because I’m not the intended audience, but of course I’m reading it as if I was. And of course the logical next question is: “Wait, do they understand how attribution works?” What if I do it bouncing through an ally? What if I do it from within the U.S.? Are they going to kinetically respond against themselves? And you kind of go: ok, wait, back up. If the message were directed to, let’s say, other countries, somebody in specific that’s got a significant power that they say: “Look, we’re talking about critical infrastructure or something of that nature, if you turn off the lights in New York, we will probably be able to figure out who you are because you’re not a small little hacker defacing websites and maybe there’s attribution in place we can respond to,” – that would have been an entirely different sort of message, and I wouldn’t have read it as the whole “Wow, if I get root on something in my own system, is the Government going to shoot me?” Which is just silly.
But I wasn’t the only person who read it that way, and it’s nice having been in this field and in the hacker researcher community for going on almost 25 years, actually, over 25 years. And some folks were sending me: “Hey, have you seen what’s going on in the chat rooms?” There were some folks who were claiming affiliation or claiming support of Anonymous, and they were going: “Hey, have you read this? Look who is trying to prep for war in our backyards. Do they even understand how attribution works? This is bullshit! If they think they can find me – it’s on, let’s go.” And the next thing you know there were a couple of websites defaced, and they ended in, like, .gov.
Now, this is where it gets kind of funky. Defacing a website is kind of a message, it’s a little warning shot. But that’s in a language that Govies don’t know. The Govies didn’t get the message as far as what I saw. So here’s the initial Strategy for Operating in Cyberspace that goes out, probably directed to somebody else, but my poor messaging is misinterpreted by a group. The group responds, fires a warning shot. The warning shot isn’t understood. And it’s like: “Hey, what are these vagabonds doing? Look at the little street punks, or whatever. They’re not somebody who actually has a message that we should actually engage in.” And it’s just this little cascading effect.
So, that’s kind of unfortunately where I saw the expanding of scope and a lot of misunderstandings. I’m not saying the two groups should be friends. And I’m not saying one group is good and one group is bad. But when you send a message out into the world – and this is for both groups – you really need to make sure it’s understandable by all the parties that are going to receive it. You can’t assume it’s just going to be read by the person you had in mind. With all love and respect, there is one very obvious commonality between the hacker researcher group and the Government, and it’s that they can be very arrogant and expect everybody will speak their own language and that they don’t have to speak anybody else’s. And I think that’s a really common mistake.
So the recommendation for the Government from my vantage point of both sides is to figure out how your messages are going to be received by the more general populace of cyberspace, because we all live there now. This is actually a great opportunity for diplomacy, and you can kind of think of it like the lost city of Atlantis, because cyberspace kind of took the world by surprise. Obviously, it hasn’t been around that long.
So, what if Atlantis just popped back up, and there was an advanced, very technically capable group of people there? You wouldn’t sit there and ignore them, you wouldn’t taunt them, you wouldn’t attack them. You would probably actually try and understand them and figure out how messaging to somebody else might be interpreted by them. And you might even try and figure out where these guys are and see things eye to eye and see where you have differences.
So my recommendations to the citizens of cyberspace is keep in mind that the Government and in particular the DoD has very specific focuses and goals. And they often see things from their own point of view, because they’re really focused on doing that job. And when you read things that appear to be a message directed to you or your community, coming from an unlikely source, you should question whether or not the message is actually intended for you or if it’s intended for somebody else and really poorly worded. And if you still think a response is necessary, you really need to think about the message that you’re sending to make sure that you don’t make the same mistake in return.
Read previous: Unexpected Stories from a Hacker inside the Government