Cyber-protest reflects cyber-warfare in its advantages over its physical counterparts; it is difficult for law enforcement to identify and prosecute the cyber-perpetrators. Cyber assaults in all forms are economical to conduct and the financial returns are overwhelming – causing potentially millions of dollars in actual and reputational damage with an attack like the one on Sony or STRATFOR (where payment information was compromised and published causing reputational damage) at a fraction of the cost.
Cyber-protest groups such as Anonymous have begun to affect the physical sphere. Anonymous were the organizers for the BART protests in San Francisco. Occupy Wall Street was the brainchild of the Adbusters protest group, with Anonymous becoming vocal promoters of OWS as the event grew close. Although the “Occupy” concept began in Spain and Greece, it has achieved global recognition under the Occupy brand. Now the Occupy Movement is seeking other forms of expression because the actual occupations have dwindled in numbers and media coverage has waned. Therefore, cyber-protest becomes more appealing.
Cyber-protest delivers all the same threats to companies that physical protest do: compromise of reputation; compromise of individual leaders and employees through doxing (the publishing of sensitive personal information on the internet); the compromise of physical infrastructure and assets (hackers can disrupt SCADA connected to the internet) or anything from the grid, from nuclear plants to electric turbines. As a result, if any of these components are attacked, the assault will have a significant effect on the financial interests of the company.
Cyber security has therefore taken on a whole new front. Not only must companies assess and manage the risks to their data centers, payment systems and finances, which tend to be better protected than the rest of the company, the penetration of the company’s e-mail systems, its records, its files and all its facilities must now be of concern. If Anonymous can hack the FBI’s e-mails and monitor telephone conversations, one must assume nothing is truly safe.
What actions can companies take? Any company that has an active General Counsel will already have policies concerning what is written in e-mails, with good cause because of what occurs during legal proceedings. With the cyber threat, that is increased as an ongoing vulnerability. Making certain that physical and cyber systems are protected from being mutually compromised is also important. From the physical components of gates and guards through the IT systems to facilitate security, physical penetration is certainly viable at this stage, and there are some assaults that can only be carried out through physical penetration, including insider threats.
Companies MUST understand their protestor risk. Once the threat has been established, the means by which protests may materialize, be they by physical or cyber means, can then be assessed. Once a company fully understands the risk it faces from the protest community because of its own actions and counter-parties and those of its supply chain, then it can begin to understand the threats and the measures that can be put in place to manage those threats.
AUTHOR’S UPDATE – February 15, 2012: Beginning Tuesday morning, Anonymous began attacking the websites of companies that sell less lethal weapons and technology, with the main focus apparently Combined Systems, Inc. When the press covers the use of CS gas in Bahrain, it is the logo of Combined Systems, Inc that is most often seen. This is an excellent example illustrating the point that one must understand the complete protester threat to a company as part of routine risk management, no matter how far from controversy one might believe their company to be. Once the exposure is understood, one can design one’s response to it. This requires understanding the supply chain and the political context.