‘Hacktivists’ increasingly target local and state government computers

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Jenni Bergal
 

Connecting state and local government leaders

By Jenni Bergal

|

State and local agencies must be able to defend against politically motivated attacks that can take websites offline, expose personal information or even knock out utility service.

This article originally appeared in Stateline, an initiative of the Pew Charitable Trusts.

Early last year, hackers launched a cyberattack against the state of Michigan’s main website to draw attention to the Flint water crisis. In May, they targeted North Carolina government websites to protest a controversial state law requiring transgender people to use bathrooms that match the sex on their birth certificate. And in July, they took aim at the city of Baton Rouge’s website after the fatal police shooting of a black man.

It’s called “hacktivism,” a blend of hacking and activism for a political or social cause, and state and local governments are increasingly finding themselves targets. Unlike cyber criminals who hack into computer networks to steal data for the cash, most hacktivists aren’t doing it for the dollars. They’re individuals or groups of hackers who band together and see themselves as fighting injustice.

“It’s digital disobedience. It’s hacking for a cause,” said Dan Lohrmann, chief security officer for Security Mentor, a national security training firm that works with states.

Hacktivists have gone after everyone from foreign governments and corporations to drug dealers and pedophiles. Police departments, hospitals, small towns, big cities and states also have come under attack. Online activists have successfully frozen government servers, defaced websites and hacked into data or email and released it online.

“Some take this as being harmless and think it’s another form of protest,” said Doug Robinson, executive director of the National Association of State Chief Information Officers (NASCIO). “But it can be highly disruptive. It’s criminal trespassing.”

Robinson said he has seen a “significant growth” in the number and severity of hacktivist attacks on state and local governments in the past five years. For the public, it can mean being unable to log on to government websites to get information or conduct business. And for taxpayers, it can mean having to pick up the tab for staff time and additional technology needed to combat such attacks.

When Baltimore was rocked by protests over Freddie Gray’s death from injuries sustained while in police custody in April 2015, for example, hacktivists knocked out the city’s main website that gives the public information about government services for at least 16 hours.

“Hacktivists are almost like vigilantes. They’re looking to disrupt,” said Brian Calkin, a vice president of the Multi-State Information Sharing and Analysis Center, a federally funded group that tracks cybersecurity issues for states and local governments.

Calkin said his group tracked 65 hacktivist incidents involving state and local governments in 2015; the number jumped to 160 last year. And a 2014 survey of state information technology security officials listed hacktivism as one of their top three cyber concerns.

“Hacktivism is becoming more and more of a serious issue,” said Srini Subramanian, a state cybersecurity principal at the consulting firm Deloitte & Touche LLP.

Subramanian said hacktivists don’t just want to disrupt services; they also want to undermine public trust. “That is what is going to move the hacktivists to continue to do this.”

Hacktivist attacks

Hacktivists are an amorphous group. While some may be individuals unhappy with a perceived social injustice, many are linked to loosely associated networks such as Anonymous, a major hacktivist group responsible for attacking government, corporate and religious websites.

Anonymous describes itself on its website as a “relatively small vigilante cyber group” that has “expanded and transformed into a continuation of the Civil-Rights movement.”

Hacktivists use various tools: Sometimes, they hack into private email or confidential records and make them public. Sometimes, they compile personal information about targets such as police officers from the internet or government record breaches and post it online, which is called “doxing” (a derivative of “docs,” slang for documents). The information can include a person’s home address, phone number and even the names of his children. Hacktivists see it as transparency; security experts see it as harassment.

Often, hacktivists launch “denial-of-service” attacks, in which they try to knock a website offline by flooding it with traffic. To do that, they take control of a large group of computers -- sometimes tens of thousands or more -- using malware that unsuspecting people have launched on their home or office computers by clicking on an email with an attachment or a link to a website. The hacktivists then control the so-called “zombie” computers and direct them to bombard a specific website with traffic at the same time, causing it to freeze.

“A given website can only handle so many visitors,” Calkin said. “When you exceed that number, the server will crash. When you keep that attack up, there’s no way to recover it while it’s happening.”

If a government computer system doesn’t have the protections to block such attacks, a website can be knocked offline anywhere from several minutes to 24 hours or longer.

Experts generally don’t consider cyber espionage by foreign governments or intelligence agencies to be hacktivism. But some do include groups such as WikiLeaks, an international organization that publishes secret or classified information, some of which has been hacked by others with political or social agendas.

“Hacktivism isn’t just about crashing systems or bringing down websites,” Lohrmann said. “It’s hacking to achieve the ends of social or political causes. It could be stealing information or publishing information to embarrass or discredit people.”

Some hacktivist attacks have been successful; others haven’t.

In North Carolina, the May attacks over the transgender bathroom law were a bust because the state’s main websites continued to operate normally during and after the attacks, said Katie Diefes, a state Department of Information Technology spokeswoman. The only websites affected were some older ones that simply redirected users to the main ones.

Hacktivists were more successful when they sounded off against the fatal police shooting of Michael Brown, an unarmed black teenager, Aug. 9, 2014, in Ferguson, Mo., which prompted protests and riots.

Within a week of Brown’s death, Anonymous began its assault, using denial-of-service tactics and doxing high-level state, local and law enforcement officials, said Michael Roling, the state’s chief information security officer. The group targeted the state’s main website as well as those of the revenue and public safety departments.

While IT staff was quick to launch its defenses and help blunt the attacks, Roling said state websites suffered brief outages in August 2014 and again three months later, after a grand jury decided not to indict the officer who shot Brown. “Fortunately, we were able to get controls in place before they had the opportunity to do damage or affect the delivery of state services,” he said.

But Roling noted that his team worked for weeks defending the state’s computer network against hacktivists. And it came at a cost: at least $150,000 for services to protect the network.

“We have the resources but we’ve seen some local governments across the country that don’t have the funding or have no way of quickly procuring services to fight these attacks, and their services are knocked offline,” Roling said.

Fending off attacks

Cybersecurity experts warn that state and local governments need to prepare to fight all sorts of online attacks, including those by cyber activists. Calkin said his group recommends that if government computer systems aren’t equipped to handle hacktivist attacks, officials should work with their internet providers to install programs that help block illegitimate web traffic.

Or they can turn to global cybersecurity companies that offer services to combat massive assaults and scrub out “bad” traffic headed toward websites while keeping “good” traffic.

That’s what Minnesota did, said Christopher Buse, the state’s chief information security officer. “We’re seeing more of these attacks than ever,” he said. “They’re bigger and they’re becoming more complex and more costly to defend.”

NASCIO’s Robinson agrees states should step up their game and make sure they have the tools to thwart hacktivist assaults. But he admits it’s hard to fight a threat that can come from anywhere at any time and for any reason.

Robinson also worries that as hacktivism gets more sophisticated, the consequences could become more serious. Instead of potentially affecting citizen services such as revenue collection or driver’s license renewals for a brief period, he said hacktivists could do far greater damage by knocking out the electric grid, water systems or other utilities.

“We are all vulnerable, and hacktivism is going to continue as long as we have these crises or events where political activists want to make a statement, whether it’s a police shooting or a city’s decision to remove camps for the homeless.”

NEXT STORY: Election systems get ‘critical infrastructure’ designation

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.