"The ultimate rulers of our democracy are not a president and senators and congressmen and government officials," Franklin D. Roosevelt once said, "but the voters of this country." These days, you can probably include hackers, too.
In the '60s, protesters took to the streets, but in 2018, protesters take to the internet. Government cybersecurity is at risk as hackers with a cause—also known as hacktivists—strive to make a point by targeting organizations and institutions that have gone against their value in some way. Hacktivists are often loosely coupled groups of individuals spread around the world who use the internet to coordinate attacks against their targets. One of the most famous groups is Anonymous, which has engineered multiple attacks on government and business targets alike.
Recently, this group attacked Norway's computers in retaliation for its policy on whaling and launched a Spanish government hack in support of Catalan independence. It also threatened to hack the US Federal Communications Commission after its December net neutrality vote.
Understand how hacktivists work
Website defacement has been a long-standing technique for hacktivists. In June 2017, pro-Isis hackers defaced 10 Ohio government websites with messages scolding the US government for engaging Isis in the Middle East.
Another common government hack favoured by hacktivists is the distributed denial-of-service (DDoS) attack. In a DDoS attack, hackers point vast numbers of devices at a target, flooding it with online traffic until it falls offline. Criminal groups create DDoS attacks by infecting devices around the world with malware that allows them to control the infected device as they please. Activist groups often persuade volunteers to install DDoS tools, building a willing army of electronic warriors, too. Anonymous has used DDoS attacks with great success, including in Operation Tunisia, its 2011 attack on the interim Tunisian government that kick-started the broader Middle Eastern revolution, known as Arab Spring.
These issues are temporary, but hacktivists also use another, far more worrying technique: data theft. They may not want your data for personal gain, but if leaking sensitive data furthers their ideological goals, they'll do it. In 2017, for instance, a hacker in the US state of Minnesota broke into 23 state databases and leaked private citizens' information to protest a controversial trial verdict.
Bolster government cybersecurity
How can governments protect themselves against hacktivists? The good news is you can often see ideological hackers coming before they strike. Whereas financially motivated hackers like to fly under the radar, staying silent on a target's network for as long as possible, hacktivists rely on making a big public splash to spread their message far and wide. Anonymous will often direct announce its target, along with the reasons for its attack, when it launches a campaign. It's also easy to see the results of an attack, because hacktivists like to make noise about it. Staying on the alert for online chatter about your government office could help you know what to be prepared for.
Public sector authorities can also get ahead of the problem by applying proper government cybersecurity hygiene and protecting their systems with some simple measures. Canada's Communications Security Establishment (CSE) provides guidelines on protecting government networks. They include patching operating systems and applications regularly to stop attackers—including hacktivists—from taking advantage of known vulnerabilities. The CSE also advises hardening operating systems by turning off nonessential ports and services. Limiting administrator privileges and establishing central management of mobile devices can prevent rogue PCs and mobile devices from becoming entry points, as well.
Certain measures can prevent attackers from spreading inside a system, even if a hack occurs. These measures include segmenting information on the network, using higher security requirements for sensitive data, and investing in endpoints equipped with intrusion detection and self-healing. Governments should also isolate web-facing applications, which are a primary target for hacktivists. Using virtualized environments for web-based applications can stop infections from spreading. Developing web-based applications in line with best practice guidance from the Open Web Application Security Project (OWASP) is also an excellent way to keep your web apps hacktivist-proof.
When facing hacktivist threats, it's especially important to prepare for DDoS attacks. Talk to your ISP about what they're doing to protect themselves against floods of illegitimate traffic. In some cases, you may want to use an external upstream DDoS mitigation service, like Cloudflare.
Create a culture of constant preparedness
You can implement all these guidelines as part of a broader risk-management policy for improving government cybersecurity, not just for defending against hacktivists. For that reason, you should move beyond creating strategies when you think you might become a target and institute these practices on an ongoing basis instead.
Besides, you never know who will become a target. Even if your government office is fairly mundane, a policy decision that angers specific groups may provoke an online response. That's why you should make risk management an ongoing process and part of a broader government cybersecurity strategy.
Ideologues are continually looking for targets that don't fit their worldview. If there's any chance you might be one of them, then it's time to tool up.