There are times, not often, when government agencies are so clueless that I feel pity for them.
Case in point, the FBI strategy reported in FBI’s Cyber Strategy: Shame the Hackers.
From the post:
The Federal Bureau of Investigation wants to publicly shame cyber criminals after they’ve been caught as part of an effort to make sure malicious actors don’t count on anonymity.
“You will be identified pursued, and held to account no matter where you are in the world,” Paul Abbate, the FBI’s executive assistant director of the Criminal, Cyber, Response and Services Branch, said at a U.S. Chamber of Commerce event in Washington Wednesday.
The FBI’s cyber response team is focused on tracking down “high-level network and computer intrusion,” carried out by “state-sponsored hackers and global organized criminal syndicates,” Abbate said. Often, these malicious actors are operating from overseas, using “foreign technical infrastructure” that makes the threats especially difficult to detect.
Once those actors are identified, the FBI tries to “impose costs on them,” which might include ”economic sanctions, prison terms, or battlefield death.” It also aims to “publicly name them, shame them, and let everyone know who they are…[so they] don’t feel immune or anonymous.”
…
Hmmmm, but if being anonymous is the goal of hackers, why do so many claim credit for hacks?
A smallish sampling of such claims: “Anonymous” claims credit for hacking into Federal Reserve (“Anonymous”), Guccifer 2.0 takes credit for hacking another Democratic committee (Guccifer 2.0), Hacker claims credit for WikiLeaks takedown (Jester), Hacker Group Claims Credit For Taking Xbox Live Offline (Lizard Squad), Hacking Group From Russia, China Claims Credit For Massive Cyberattack (New World Hackers), OurMine claims credit for attack on Pokemon Go servers (OurMine), Grandpa, patriot who goes by ‘The Raptor,’ claims credit for taking down Al Qaeda websites (The Raptor), Iranian Group Claims Credit for Hack Attack on New York Dam (SOBH Cyber Jihad), etc., etc.
Oh, the FBI equates being “anonymous” with:
You didn’t use your home/work email address, leaving your home/work phone numbers and addresses on an “I hacked your computer” note on the victim’s computer.
Hackers avoid leaving their true identity information just like skilled bank robbers don’t write robbery notes on their own deposit slips, it’s a way of avoiding interaction with the police. That’s not shame, that’s just good sense.
As far as “shaming” hackers, the FBI learned nothing from the case of Aaron Swartz, Aaron Swartz stood up for freedom and fairness – and was hounded to his death. Swartz was known among geeks but no where nearly as widely known until prosecutors hounded him to death. How’d shaming work for the FBI in that case?
Public “shaming” of hackers, most of who attack the least sympathetic targets in society, is going to build the public (as opposed to hacker) reputations of “shamed” hackers.
Go ahead FBI, grant hackers the benefit of your PR machinery. “Shame” away.