Is hacktivism an acceptable choice?

This week I attended CSO Online's CSO Security Summit in London, which was tracked into protection and culture tracks. One of the most interesting aspects of this was the focus on mental heath. As any incident responder (professional or accidental!) will know, these can be very stressful. We ignore these issues at our peril.

However the takeaway for me was an observation I made during Lisa Forte's panel: a lot of the discussion and debate around responding to hacktivism focusses on the symptoms (malicious cyber activity) rather than that cause (why young people think this is the way to use and develop their skills). Indeed Sarb Sembhi was the only person I’ve heard recently really talk about motivations, when he mentioned climate activism.

Hacktivism, the combination of hacking and activism, presents several challenges that raise concerns in both ethical and practical dimensions.

While hacktivists often justify their activities as a form of protest against injustice, these actions can lead to substantial collateral damage. Targeting websites or networks can disrupt services not only for the intended targets but also for innocent third parties. This can result in financial losses, data breaches, and a loss of trust in online services. But the biggest impacts can be on those who conduct the cyber activist activity.

Hacktivism often operates in a legally grey area. While hacktivists may claim to be advocating for social justice, their actions can violate laws related to computer security and privacy. This can lead to criminal charges and further complicate the legal landscape surrounding online activism. It’s hard to think of much offensive cyber activity that doesn’t lead to commission of an offense under legislation such as the Computer Misuse Act.

The tactics employed by hacktivists can undermine legitimate and peaceful protests. By resorting to digital sabotage, they risk alienating the public and creating backlash against broader movements for social change. This perception can diminish public support and obscure the original message that the hacktivists aimed to communicate.

The rise of hacktivism also raises issues of cybersecurity. As hacktivists target large organisations, these entities may bolster their security measures, leading to an increase in surveillance and cracking down on online dissent. Such a trend can restrict freedom of expression and stifle legitimate discourse.

Hacktivism can precipitate a cycle of retaliation among groups with opposing views - think cyber activity around Russia’s invasion of Ukraine, or Israel and Palestine. Such actions can escalate conflicts, resulting in heightened tensions and potentially leading to more severe cyberattacks, including those from state-sponsored actors.

It’s even possible to fund yourself detained aboard with very few rights as an enemy combatant: not what most young people will be focussed on when trying to use their cyber skills to address a perceived injustice or support a campaign for change.

We still need to improve our capability to give young people with an interest in cyber the right opportunities to progress that interest in appropriate way.

There remains limited readiness of the education community to support and guide those with a high technical aptitude with challenging work in school, and still - all this time on - very low female participation in STEM subjects.

Many schools do not even offer Computing at secondary level (14-18 / GCSE and A level in UK). Few primary school curriculums even provide the basic building blocks for later success.

We also don't fully understand how to help and support cognitive diversity, which can lead to talented young people feeling isolated and challenged to engage through established paths.

Finally, cyber is also an area of interest that is very hard for parents to support, monitor and guide on.

Jersey Cyber Security Centre supports several work experience students each year, all of whom have made a substantial contribution to our work. But it is the tip of the iceberg if we want to ensure everyone with an interest has a productive outlet for their talents, and understands the risks and personal impacts of taking the wrong path.

Ask anyone who started out in cyber in or before the 1990’s. We all know choosing the wrong path is too easily done.

___

Matt Palmer is an award winning cyber security leader. He currently runs the national cyber defence function for a small island state. He can be found on linkedin or on bluesky.