Tuesday, July 19, 2011, will become a red-letter date in the world of cyber-security. While the British government was busy ‘undressing’ media mogul Rupert Murdoch for his company’s role in the hacking scandal that has rocked the U.K., the U.S. government on Tuesday launched a nationwide dragnet against “hacktivists” who are operating within the jurisdiction of the United States.
A majority of arrests targeted alleged members believed to be associated with the online hacktivist movement, Anonymous. The 14 arrestees are charged in connection with the cyber-attacks that crippled PayPal, after that company suspended the accounts associated with the WikiLeaks organization. Also on Tuesday, a New Mexico man, Mr. Lance Moore, was arrested in his home for allegedly stealing confidential business documents from AT&T servers, and intending to later post the documents online through a file-sharing Website. Another man was arrested for accessing the servers at InfraGard, and then boasting about it on his Twitter account. And last, but not least, a 24 year-old man, Mr. Aaron Swartz, was charged with stealing more than 4 million academic files via the Massachusetts Institute of Technology (“MIT”) computer network.
While the determination of intent to commit a criminal act will be left to a court of law, the actions by both the U.S. and U.K. governments highlight the lack of organizational governance large organizations have in regards to data privacy and security. By analogy, it’s like parking your car in a public garage with the keys in the ignition and the windows rolled down. Yes, it is still a crime to steal the car, but criminals will take a chance when the opportunity for gain outweighs the risk of getting caught. The organizations hopefully have the necessary policies in place with regards to information security, but a reason for the breakdown is likely tied into organizational implementation of the policies (i.e. they are failing because they are too big). July 19, 2011, may be a red-letter date in the fight against cyber-attacks, but it should also be a wake up call for organizations to truly ask themselves whether they are correctly implementing the necessary internal and external controls.