As CISPA Hits Congress, Cybersecurity Company Hypes The Fear Of Anonymous

from the fearing-fear-itself dept

Through TNW, we learn of a survey published by threat protection company Bit9 that states an attack by Anonymous is the number one thing IT security professionals fear. Doubtless the release of this survey was timed to coincide with CISPA, the dangerous cybersecurity bill that is being debated in the House this week. It’s no surprise that a security provider would want to play up the fear of cyber attack, but I’m reminded of a quote from comedian Dara O’Briain: “Zombies are at an all time low level, but the fear of zombies could be incredibly high. It doesn’t mean we have to have government policies to deal with the fear of zombies.”

Apart from the fact that the fear of something is pretty meaningless (except to those who sell security, and those who want to pass bad laws), the details of the survey make it clear that this is entirely a matter of the hype around Anonymous:

61% believe that their organizations could suffer an attack by Anonymous, or other hacktivist groups.

Despite the utter sense of fear that Anonymous has created over the years, 62% were more worried about the actual method of attack, with malware accounting for the most cause for concern at 48%.

Only 11% of the respondents were concerned about one of Anonymous’ actual methods of attack – DDoS, while fears over SQL injections dipped to a measly 4%. Phishing was a concern for 17% of the respondents.

So, despite the fact that Anonymous apparently has them shaking in their boots, they know that their real vulnerability is malware—and that’s not really Anonymous’ game. The fear is manufactured.

What this survey calls attention to, though, is a fact that deserves more attention: under CISPA or a similar law, Anonymous would make a juicy target. Security companies and the government could collude and share data not only to strengthen their networks against attack, which would itself be perfectly reasonable, but also to identify and investigate Anonymous members, notwithstanding any other privacy laws. Regardless of how you feel about Anonymous’ tactics, this should concern you: privacy rights and the 4th Amendment exist for a reason, and CISPA would wash them away online. The authors of the bill insist that it targets foreign entities, but it is arguably an even stronger weapon against domestic hacktivism that will inevitably be used and abused.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “As CISPA Hits Congress, Cybersecurity Company Hypes The Fear Of Anonymous”

Subscribe: RSS Leave a comment
Anonymous Coward says:

no surprise here then. just like the entertainment industries, spinning loads of lies and bull shit to thick politicians so they will go along with implementing a completely unneeded Bill that will do no good at all. but anything that will take away peoples rights and undermine the 4th Amendment and anything else in the Constitution will be implemented simply because governments dont want people to have any rights at all any more.

Anonymous Coward says:

“they know that their real vulnerability is malware?and that’s not really Anonymous’ game”

Not really true. Anonymous hackers have been known to use javascript on sites to secretly use people as DDoS tools. While it’s not malware in the sense of taking over your computer fully, it’s certainly a step towards using an end user’s computer without permission.

It’s only a short jump from there to a full on malware attack. Considering the intelligent leader types from anonymous are getting arrested or giving it up, we are left with stupid script kiddies who are very much more likely to want to try anything including malware to get the job done.

Anonymous Coward says:

Hyping the fear of something is all a lot of politicians know to do anymore.

Lately I’ve been hearing ads on the radio hyping up the fear of terrorism, and why you should report ANYTHING unusual to the police right away, even using as an example “that guy on the bus looks really nervous, lets call the cops, why take the chance”.

Mr. Smarta** (profile) says:


I thought that’s what the whole GSA fiasco was for. Draw our attention away from the stricter IP laws and loss of our first amendment rights. Damn it. I guess the American people aren’t fooled. The government better invade a small country suspected of terrorist ties then, otherwise there would be more protests.

And protests against laws taking away American rights is downright un-American…

Anonymous Coward says:


Script kiddes do not make their own malware. Thats the point of the name. Designing malware with 0 day exploits that would be effective against a real corporation is extremely challenging and requires a certain level of genius.

Most hacks occur from social engineering. No amount of laws are going to make people less stupid or companies more secure.

Realist says:

Seems like just desserts for all of the rabble who cheered on the self-destructive antics of Anonymous. None of this could be a surprise no anyone with half a brain. Techdirt should have openly condemned their actions rather than offer up the lukewarm “could be a mistake” type assessments of their threats and vandalism. Anyway, you reap what you sow. The cheerleaders have no justification to snivel, the result was 100% predictable.

Rich Kulawiec (profile) says:

Speaking as a "cybersecurity" professional...

…(although I hate that term) I think I should take a moment to point out the #1 threat to just about every computing operation anywhere on the planet.

Its own users.

I’ve said for years that competent system/network administrators should presume that their users are (variously) stupid, lazy, careless, insane, or actively hostile — and plan accordingly. (And if the users turn out to be none of these things? Oh happy day. Celebrate with scotch. But go back to presuming this tomorrow.)

Users will reply to spam and download trojans. They will infiltrate malware and exfiltrate data. They will pick extremely poor passwords, re-use them elsewhere and write them down. They will give out sensitive information to the nice man on the phone who says he’s from IT. They will bring in their home laptop (the one that hasn’t been updated in two years and that the kids use all the time) and plug it into the corporate finance network. They will click on every shiny thing they see. They will send critical email messages to the wrong address (because, surprisingly, not all domains end in .com) and assert that their boilerplate disclaimer complete with unenforceable adhesion makes it all better. They will pass around USB sticks that have thoughtfully been preloaded with keystroke loggers. They will mistakenly send a 4,000-page document to the printer. They will leave that DVD on the airplane and lose their laptop in the hotel. They will use IE despite being furnished with Firefox, Chromium, and Opera. They will forward chain mail fake virus warnings “just in case”.

And so on.

If you’ve been following the history of major network intrusions and serious data loss incidents for the past few decades, you know that nearly all of them have been caused by someone inside the operation involved. Sometimes it’s a system or network admin: we screw up too. But if you’re betting to win, bet on the users: they seriously outnumber us.

You can’t just drop in a product or service like the ones that Bit9 is flogging and address this. It doesn’t work that way. You have to design with this in mind, from the first cocktail napkin to the whiteboard to the formal layout. If you try to retrofit it, you guarantee failure.

Nor can you address this with legislation. Doesn’t matter who writes it or what’s in it, it’s all worthless.

Good security doesn’t come from products with colorful marketing brochures or from legislation dictated to congresscritters by whoever dropped the most cash into their coffers. Good security comes from smart, paranoid, ruthless, cynical people with an eye for detail and a grasp of The Big Picture. Oh, it’s not perfect: we make mistakes all the time. But it’s the best we’ve got.

TtfnJohn (profile) says:


One “leader” of Anonymous has been busted and maybe more have left but that doesn’t lead to your conclusion that all the intelligent leaders of the group have.

I suppose even a script kiddie can inject malware into a poorly secured site though my own experience with them says the vast majority of what we call script kiddies have difficulty launching their scripts. Take that and add that just about any good security admin is aware of what scripts are in the wild and guard against them.

What Anonymous has done till now says they’re not a collection of script kiddies. Anything but.

Still, nice attempt at fear mongering. NOT.

Anonymous Coward says:


Anonymous doesn’t have the skill to produce clever/dangerous malware, and the damage they’ve caused (DDoS attacks) was only due to their sheer mass.

Anonymous is not a real threat, in terms of security. Stuff like the Zeus botnet, however, is, but you don’t see them complaining about that.

This only highlights that their primary fear isn’t being hacked. Their primary fear is having their dirt exposed by pimply faced kids living in their mothers basement that know how to run a script.

TtfnJohn (profile) says:

utter sense of fear lol!

I guess by chicken sacrifices you mean the take away KFC lunch the IT pros you talk about took into the server room with them. I know that some DO read the docs and man pages but, with MS servers and some Linux servers, it’s a while lot easier to set up and pray from the GUI.

Which is, of course, idiotic as doing it that way makes the site more vulnerable to attack, not less. But if you hire a low level cert that only teaches how to set up from a GUI I guess you get what you paid for. 🙂

Cowardly Anonymous says:


Yes, claims did get a little dramatic there. SOPA was still a bad piece of legislation, even without the dramatized claims. Just as the old copies of ACTA are not the driving force behind protests there either, just a dramatic red herring that proponents have focused on.

The real difference? The protesters point people to the source and asked them verify the allegations. The main drivers of the protests even posted pieces devoted to clearing up the misconceptions in regards to both SOPA/PIPA and ACTA. Bit9 is asking people to trust a survey that doesn’t substantiate their claims, and we have yet to see a source that provides a valid foundation for CISPA.

So yeah, point still holds, fear is pretty meaningless.

gorehound (profile) says:


I for one hate this Government so much at this point they have a lot of things to Apologize to all of us.The GOP are disgusting, despicable, and a complete Circus Show.The Democrats help out others and at the same time they take away our Rights.Both of the Parties are so Corrupt there is no way they will not ever be Corrupt at this point in my eyes.
I want to see a Nation where neither one of these Parties are in our System at all.
If I had a ton of money I would be thinking of just pulling out to live elsewhere.
Wake me up when the Revolution Comes !

Baldaur Regis (profile) says:

Speaking as a "cybersecurity" professional...

Just so. What really chaps me is that, in jurisdictions where data-breach reporting is mandatory, the number of cases where a third-party auditor gets his/her laptop stolen with sensitive info unencrypted is just appalling.

IT can create a fairly secure bubble; good crypto and security practices have been around at least as long as the WWW portion of the internet. In reality though the bubbles are porous; as you point out, IT can only do so much, and trying to legislate against stupidity is a fool’s errand.

TtfnJohn (profile) says:

Speaking as a "cybersecurity" professional...

I agree 100%. The user is the biggest hole in any security system.

I was part of a security audit at the firm I am now retired from and my ability to guess the passwords of some users that I was only mildly acquainted with was appalling. From the most lowly clerk to the executive floor. Everything from child’s name, partner, dog, cat and other various easy to guess names, their own name spelled backwards, “1234567” and on it goes. And the oldie but goodie, “password”.

A lot of these people had also responded to phishing and spam from home but had set “reply to” to their work email. Imagine what happened then!

It’s not that users are hostile, most of the time, it’s that they’re lazy. As are the rest of us. Remembering one password is easier than a few dozen. Writing it down is a way of remembering seems “well, doesn’t everyone do it?”.

No matter what a lazy or just plain stupid people are you can’t design every eventuality into a security system. Bit9’s stuff might be helpful though nothing works as well as educating end users. Even then, they’ll be lazy.

It’s time like this I grab an old quotation that I love:
“Against stupidity the god’s themselves contend in vain.”

aldestrawk says:


Richard Clark, former advisor to 3 presidents including National Coordinator for Security and Counterterrorism, and Special Advisor to the President for Cyber Security, is on the board of directors for Bit9 which is the company that conducted this survey. This is not terribly surprising though. I would not expect congress members to be involved because this company is a technology company providing security software and appliances. US government agencies could be a customer but as their survey emphasized, the solutions IT professionals see for security are not more government regulations and more law enforcement but technological tools to protect against cyberattacks (i.e. what Bit9 sells). Not much use for lobbying here.

Rich Kulawiec (profile) says:


Richard Clark is one of the primary cheerleaders for the concept of “cyberwar” (which does not exist), a “digital Pearl Harbor” (which is breathless hype), and anything/everything else that will funnel money to his pals in the business of billing the government hundreds of millions of dollars for incompetently dealing with a non-existent threat. He’s a shill for the greedy pigs at the trough (like Bit9) and that’s all he is.

Rich Kulawiec (profile) says:


Speaking of botnets: we’re about a decade into that issue now. We know lots of stuff about them:

– Any estimate under 100M should be laughed out of the room. 200M is plausible. 300M is possible. (Vint Cerf posited 250M five years ago. I think his estimate was high at the time…but it’s not high now.)

– They’re overwhelmingly, as in well over 99%, running Windows (which we know thanks to passive OS fingerprinting). More recently: MacOS.

– They’re everywhere: consumer ISPs, corporations, universities, governments, non-profits, desktops, laptops, portable devices, servers.

– Command/control mechanisms for organizing botnets are getting increasingly sophisticated. They’re using various techniques to resist detection and destruction.

– Individual botnets routinely include millions of members and we know some have passed the 10-million mark. Probabilities being what they are, we probably haven’t seen the largest botnet.

– They’re used for everything: sending spam, DDoS attacks, harvesting email addresses, phishing/spear-phishing, hosting illegal websites, providing DNS for abuser domains…too many things to list here.

– They’re for rent. (Of course they are: supply and demand.)

– Every now and then some combination of companies and governments announces that they’ve busted one, usually with a big press release and a lot of self-congratulation about how this represents progress. It’s meaningless. All those systems are still compromised. All those systems are still vulnerable to the same issue that got them compromised. All those systems are now just waiting for the next botmaster to sweep them up…a process which likely started before the triumphant press conference did.

– Anti-virus/anti-malware/anti-whatever aren’t much help. (To borrow a line from Marcus Ranum: if they were ever going to work, they would have worked by now.) This is in part because they never were very effective, and in part because botmasters can commission custom malware that will evade the anti-whatever software, and because social engineering/trojan techniques work beautifully.

– Given the sophistication of contemporary botnet operations, it’s reasonable to think that we don’t see all their members — that is, that some portion is being held in reserve. It’s also possible that one reason we don’t see more than we do is that nobody actually needs that much CPU/memory/disk/bandwidth for anything.

This is pretty much the largest (in terms of scale) problem in contemporary security. It’s not going to be fixed by legislation, CISPA or otherwise. There already is legislation that covers it, and has been since before botnets existed. I leave it as an exercise to the reader to evaluate how effective that approach has been.

aldestrawk says:


I am always skeptical of what Richard Clark says but I would not dismiss everything he says out of hand. I assume that he is always selling something, and to me, his worst fault is intentionally distorting the context or importance of the things he talks about. The following is a short video he did for Bit9 discussing this survey.

In this, he categorizes the different motivations for attacks well (CHEW – crime, hacktivism, espionage, and war). Surprisingly, he downplays the threat of war by saying it doesn’t go on very much. I imagine, that apparent change in his thinking is motivated by who he is currently representing. He emphasizes espionage as being the most important concern. Despite the cover photo for the video being the, Anonymous adopted, Guy Fawkes mask from “V for Vendetta”, Clark doesn’t seem too concerned about hacktivism here.

A Guy (profile) says:

Congressional Logic

Congress seems to think the best way to tackle computer security is to add more bureaucrats that know less about computer security than the people they’re trying to regulate.

Isn’t this how the Soviet Union fell apart? Every time a problem arose they just added an additional level of bureaucracy, and took away more of their citizens rights, until the whole system came crashing down under its own weight, right?

Anonymous Coward says:


Or that corporate control would turn it into a broadcast medium.

Sure the internet would still work but it would not be the internet we know and love today but without piracy. It would have turned into a crippled shell of what it once was. Even if technologically nothing was hindered, but there would have been plenty of technological issues too.

kirillian (profile) says:


Fighting for the rights of those who don’t deserve them is the point and purpose of the constitution. We stand up for even Anonymous because to not do so is to give in to tyranny (the whole, “They took this group, then that, then that, then when they finally came for me, there was no one to stand up for me” thing).

The fact that it was predictable is indicative that it is common knowledge that there are those with power looking to quash the rights of those smaller than themselves. It indicates that you are more than likely shilling for them or just too dumb to tell the difference.

aldestrawk says:


Nice summary of botnets Rich. I would like to point out one aspect of botnets you did not mention. I don’t have the time today to track down a reference, but my memory tells me that a large portion of botnet zombies become zombies because the user does not update their OS or application software to patch security vulnerabilities and/or they do not have anti-malware software installed. There is a correlation between pirated versions of Windows and malware infection. This could be due to the end-users risky behavior in general, by downloading software from any source and blindly trusting it not to be malware, or the end-users mistaken perception that Microsoft insists on applying security updates to only validated versions of MS software.
This is not to say that fully updated systems running anti-malware and IDS systems cannot be infected. They can. However, it is more likely that a system that is not updated will be infected. This makes anti-malware software useful in limiting the size of botnets. Otherwise, why isn’t everyone’s computer part of some botnet? Frankly, I don’t know how to convince people to keep their computers updated, but wider adoption of this practice would limit the size of botnets further. In addition, takedowns of botnets like Zeus and Kelihos is a new technique that pushes the balance further toward limiting the spread of botnets.
One thing for sure, as you say, the problem of botnets will not be fixed through legislation and is not a valid argument in support of CISPA.

aldestrawk says:

Bit9 doesn't support CISPA

If you read the article referenced in this story it is completely understandable that you could come away with the impression it was no coincidence that Bit9 released the survey results while CISPA was being debated and the survey results could be used to support CISPA. I looked further and it seems the survey release may or may not be coincidental but if the timing was intentional Bit9 is only glomming onto any sort of publicity dealing with “cybercrime”.
From Bit9’s web-site and about the survey:

“Despite current plans to implement cyber security legislation, only 7 percent believe that government regulation and law enforcement will best improve security.”

and from:

“So how do we protect against these types of attacks while still not infringing on the privacy of the typical user? The legislation is very broad, leaving a lot of wiggle room for the government to acquire information outside of the bill’s initial intent. Unlike the USA PATRIOT Act, which allows roving domestic wiretaps, CISPA would grant the government unprecedented access to web company user data and trump already passed (and extended) legislation like the USA PATRIOT Act.”

“By putting companies in control, the bill claims to protect each user?s privacy by not mandating private or public web companies to fork over their user data. This would leave companies like Facebook to choose what to do with the information it knows about you as opposed to the government ? a little better, but still disconcerting. Facebook, Microsoft, Oracle, Symantec, Verizon and reportedly Google have come out in support of the legislation ? a stark contrast to the public and company protests regarding SOPA and PIPA.”

“But most of these brands do not have a great track record of protecting user privacy to begin with. So the fact that they embrace support for this bill is a far cry from an authoritative endorsement of user privacy protection. The bill may be an “opt-in” legislative measure, but who is to say that both parties (the government and corresponding companies) can’t both mutually benefit from the sharing of private information? This may now give companies the ability to barter private information with the government in exchange for corporate influence.”

I would say this shows that Bit9 does not support CISPA. It does show that you often need to look past a single blog’s summary of an event or publication, particularly if you are going to make a presumption, about Bit9 and CISPA here, that the blog does not make.

Anonymous Coward says:

I think many are missing the point!! The fact that Chinese supported attacks, as well as other country-sponsored covert actions are and will always be more concerning that Anonymous.. the simple (easy pickings) are to go after Anonymous. To be ‘seen’ to doing something (while the shrill goes on). The laws will only effect the legitimate law-abiding persons, which will get all caught up in bureaucracy, while Anonymous and other covert attacks go on quietly unannounced, causing far greater problems.

Results NOTHING but the removal of basic fundamental rights.. as it’s easier to do!! US gets stifled and the rest of the world develops and drives on ahead. Thus leaving the US behind.. The Land of The Free — Yeah sure !!

Leigh Beadon (profile) says:

Bit9 doesn't support CISPA

Hmm – thanks for the info. Good to know they don’t support it.

Though, I would note that I never claimed they did – in fact I was careful not to because I wasn’t sure about that fact. But whether they support CISPA or not, drumming up fear of cyber attack still seems like their game here. In any case I find it hard to believe that the timing was coincidental – it is probably, as you say, an attempt to ride the wave of coverage and publicity.

That Anonymous Coward (profile) says:

On the one hand, I would love to see Bit9’s operations completely taken apart by Anonymous. Because truly this is the only way to make them look like the fools people know they are.
On the other hand, ripping away the illusion that they are competent would just add fuel to the fire that cybergeddon is on the horizon when the “best and brightest” can not withstand Anonymous.

In the mean time I’d settle for Clark’s email accounts being hacked and dumped online with a full dissection of how it was done. When your spokesperson saying we need more can not even keep himself secure, one needs to question why we are listening to him.

Rwolf says:

CISPA Is Fascism?Disguised In Cyber Security Legislation

CISPA the Cyber Intelligence Sharing and Protection Act if passed will allow??the military and NSA warrant-less spying on Americans? confidential electronic Communications and transmitted private information; circumvent the fourth amendment by permitting any self-protected cyber entity to share with the Feds any obtained information that might relate to a cyber threat. Considering federal government?s close business relationship with several telephone and Internet companies it should be assumed the feds will through CISPA gain access legally or otherwise to Americans? electronic communications. The current House Passed Cyber Security Bill overrides the Fourth Amendment. Any information gleaned from warrant-less spying is admissible in Criminal, Civil and Administrative courts against U.S. Citizens and businesses. CISPA opens the door for U.S. Government spy agencies such as NSA; the FBI, government contractors and private entities (to take out of context) any innocent?hastily written email, fax or phone call to allege a crime or violation was committed to cause a person?s arrest, assess fines and or civilly forfeit a business or property. There are more than 350 laws and violations that can subject property to government asset forfeiture. Government civil asset forfeiture requires only a civil preponderance of evidence for police to forfeit property, little more than hearsay.

The U.S. Justice Department can use CISPA spying to circumvent the Fourth Amendment, (no warrant searches) of Web Server Records; a Citizen?s Internet Activity, personal transmitted emails; fax and phone calls to issue subpoenas in hopes of finding evidence or to prosecute Citizens for any alleged crime or violation. If CISPA is passed it is problematic federal, state and local law enforcement agencies and private government contractors will want access to prior Bush II NSA and other government illegally obtained electronic records not limited to Americans? Internet activity; private emails, fax and phone calls to secure evidence to arrest Americans, to civilly forfeit their homes, businesses and other assets under Title 18USC and other laws. Of obvious concern, what happens to fair justice in America if police become dependent on ?Asset Forfeiture? to help pay their salaries and budget operating costs?

The passed ?Civil Asset Forfeiture Reform Act of 2000? (effectively eliminated) the ?five year statue of limitations? for Government Civil Asset Forfeiture: the statute now runs five years (from the date) police allege they ?learned? an asset became subject to forfeiture. If CISPA is passed allowing (no warrant) electronic government surveillance of Americans, it should be expected CISPA will be used by government not just to thwart cyber threats but to prosecute Americans for any alleged crime; expect government/police will relentlessly sift through Citizen and businesses? (government retained Internet data), emails and phone communications to discover possible crimes or civil violations. A corrupt despot U.S. Government Administration may too easily use no-warrant-seized emails, Internet data and phone call information) to blackmail political opposition, U.S. Citizens, corporations and others in the same manner Hitler used Nazi passed no-warrant police state search and seizure laws to selectively target Citizens for arrest, to extort support for the Nazi fascist government, including strong-arming parliament to pass Hitler?s 1933 Discriminatory Decrees that suspended the Constitutional Freedoms of German Citizens.

A Nazi Government threat of ?Property Seizure? Asset Forfeiture of an individual or corporation?s assets generally was sufficient to ensure Nazi support. History shows how that turned out?

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...