All hacktivists should be treated as if they are malicious hackers because the distance between hacking/activism, malevolence, and damage has become too small and too vague.
Hacktivism and its semantic complications
In legal terms, hacking is fundamentally the circumvention of system controls to obtain unauthorized access to that or another system. It is prohibited by the Computer Fraud and Misuse Act (CFAA). There are three basic types of hacker: malicious, ethical, and hacktivist.
All three can be treated differently by the CFAA. The rules, even if not always the practice, are reasonably understood for the first two. The primary difference is intent and damage: if the intent is good, and damage is avoided, the (ethical) hacker may be excused prosecution. If the intent is to steal from the victim and/or damage is inflicted, the (malicious) hacker will be prosecuted.
Where does this leave the hacktivist? The word derives from hacking (illegal under CFAA) and activism (a term often associated with a desire to effect change for the better via civil disobedience). It combines the concepts of illegal actions and good intention, it usually results in at least some damage — and has always been a problem area for both public opinion and legal consequences.
This is not just an academic problem. All things in cyber evolve quickly; and in times of heightened geopolitical tensions, they evolve very rapidly. Hacktivism is evolving. It is important for both the law and cyber defenders to understand the current and potential activity of hacktivism to better understand how it should be treated.
Hacktivism and the law
There is no legal definition of hacktivism in the US. However, in a paper (Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign Policy) presented to the World Affairs Council in 1999, Dorothy Denning described hacktivism as “the convergence of hacking with activism, where ‘hacking’ is used here to refer to operations that exploit computers in ways that are unusual and often illegal, typically with the help of special software (‘hacking tools’).” Hacktivism is most likely illegal if it involves hacking into another person’s computer.
The US National Counterintelligence Strategy takes a similar view. “State adversaries [including Russia and China] such as Cuba, Iran, and North Korea; non-state actors such as Lebanese Hizballah, ISIS, and al-Qa’ida; as well as, transnational criminal organizations and ideologically motivated entities such as hacktivists, leaktivists, and public disclosure organizations, also pose significant threats.”
It is also worth considering the military acronym MICE, originally used to recognize potential spies but generally able to detect anyone who may become a threat: the motivations of Money, Ideology, Compromise (as in coercion), and Ego. As more elements of this acronym apply, so the likelihood of becoming a spy (or a threat generally) increases. But it provides a mixed result on whether hacktivists should be considered a threat. They are not generally motivated by money but are certainly driven by ideology. They are not generally coerced into their actions but are probably egocentric.
This difficulty in classifying hacktivists as moral or immoral people is further confused by Denning’s linkage to ‘influencing foreign policy’, which helps explain why there can be no easy international consensus on hacktivism: friends influence foreign policy for good purposes, foes do so for bad purposes. Much of the hacktivism conducted by the IT Army of Ukraine against Russia is considered moral by the western allies, but immoral by Russia. Much of the election interference conducted by Russian trolls in both the US and Europe is considered immoral in the west, but ideologically moral by the perpetrators.
The overall result of these confused considerations is that hacktivism is illegal, should be considered a cybersecurity threat, but is not necessarily automatically reprehensible in the manner of malicious hackers delivering ransomware. This leaves open the question of whether the law should treat hacktivists any differently to hackers.
Pieter Arntz, malware analyst at Malwarebytes, considers the relativist view. “What is considered good and bad often boils down to which side one supports. Before the [Ukraine war], both Ukrainian and Russian groups were labeled as cybercriminals. However, with Ukrainians targeting Russia and Russians focusing on Ukraine and its allies (including us), it’s natural for us to perceive those attacking us as the ‘bad’ actors, while those we root for are seen as ‘good’.” The context is important.
Nick Hyatt, cyber practice leader at Optiv, agrees with the importance of context. “Not all crimes are the same, so I think it’s important that context be included when considering how the law should handle attackers. If you remove political motivation from the incident, how does it stack up in severity? On the one hand you have a hacktivist that broke into a government’s email server, stole data, and released it for moral purposes. On the other, you have a ransomware syndicate that encrypts a company’s environment, exfiltrates data, and then holds them for dual ransom. Is one more severe than the other? One actor didn’t ask for money, the other did. Does that put the crime into a different classification?”
The argument is valid, but perhaps not comprehensive. Both Edward Snowden and Julian Assange could be considered hacktivists. Any system damage was minimal in comparison to, say, NotPetya and WannaCry – but the political damage was immense. There is no legal forgiveness just because this was hacktivism.
Nevertheless, Callie Guenther, senior manager of cyber threat research at Critical Start, agrees that context is important – not so much to the law, but to the penalty. “If both [hackers and hacktivists] commit the same crime, like unauthorized access or data theft, the law should treat the actions consistently. However, legal systems might consider the intent or motivation behind a crime when determining penalties.”
There is a potential route toward such an approach found in the DoJ’s declaration that it would not prosecute good faith research under the CFAA.
Melissa Bischoping, director of endpoint security research at Tanium, has a more direct opinion. For her, ‘hacker’ is a neutral term (see Hacker Conversations for various discussions on this), while ‘hacktivism’ is not. “Hacker is a descriptor much like ‘woodworker’ or ‘artist’, ” she said. “It describes a mentality, personality type, and a set of common interests – but in itself is not inherently illegal and shouldn’t be treated as such under the law. Hackers are human beings. Hacktivism is a form of cybercrime, and people engaged in it are criminals, not just ‘hackers’.”
Criminals? Yes, technically. But Robert Leong, senior director and head of product management for HCL BigFix, summarizes the popular view: “Hacktivists generally have some kind of social or political objective, and seek things like societal change and/or political policy prescription changes. They also tend to limit themselves to ‘non-violent kinds of cyber actions, such as DoS attacks or virtual sit-ins, website defacement, Google bombs, website parodies, and IP theft. They tend to eschew actual destruction and/or actions that would result in physical or cyber violence.”
Where their actions may be illegal, he points out that attorney generals, juries and judges are able to grant leniency when it is warranted. “So, for example, if a hacktivist were to hack a goods manufacturer for knowingly using child slave labor, we as a society may agree that their cause is just and although they are performing illegal activities, we would likely treat them more leniently because we agree with their motives if not their methodologies.
Eli Nussbaum, MD at Conversant Group, cautions that definitions and opinions change. “Hacktivism has, at times, been used to describe activists who legally use technology to peacefully advance their political, moral, and ethical agenda. Most often though, hacktivism describes activity that more closely resembles terrorism or other types of criminal hacker activity as it is legally defined,” he says. “Hackers and hacktivists are criminals who weaponize coding for their benefit. While their ideology may be different, the outcome for victims is similar… there is no tangible difference between hackers and hacktivists in any legal sense.”
Hacktivism and cyberwar
Like ‘hacktivism’, ‘cyberwar’ is another word that is difficult to define (see What is Cyberwar?). The concepts may seem to be far apart – but the reality may be different.
One of the purposes of kinetic war is to effect regime change – and nobody would suggest that kinetic war is ‘good’ (regardless of relativism). But one of the purposes of hacktivism is also to effect regime change (refer again to the Russian trolls disseminating false information at the time of US elections). Does this imply that hacktivism includes an element of cyberwar? That would certainly chime with Bischoping’s view that ‘people engaged in it are criminals and not just ‘hackers’.’
The current war in Ukraine also demonstrates how dangerously close hacktivism can get to cyberwar. Non-Ukrainian operatives within the IT Army of Ukraine are sometimes considered to be hacktivists purposed with disrupting the economy of the Russian state. Note that the US definition of cyberwar requires human death or the disruption of critical industries to the extent that human death may be an expected outcome. So long as hacktivists do not cause death, they are technically not engaged in cyberwar.
But real life and technical distinctions are difficult to rationalize. In September 2023, Karim Khan, KC, prosecutor at the International Criminal Court, issued a statement on the nature of ‘hybrid’ war. “Cyber warfare does not play out in the abstract,” he wrote. “Rather, it can have a profound impact on people’s lives. Attempts to impact critical infrastructure such as medical facilities or control systems for power generation may result in immediate consequences for many, particularly the most vulnerable.”
It can be seen as a warning to hacktivists operating in or for Ukraine. “Cyber operations are sometimes employed as part of a so-called ‘hybrid’ or ‘gray zone’ strategy,” he continued. “Such strategies aim to exploit ambiguity and operate in the area between war and peace, legal and illegal, with the perpetrators often hidden behind proxy actors.”
Notably, the IT Army of Ukraine immediately responded on its Telegram channel: “IT Army supports this idea and will steadfastly adhere to every letter of international legislation that will regulate cyber warfare.”
The relevance to understanding the nature of hacktivism is that it would only take an error of judgment or coding to transform a hacktivist (generally considered to be a lesser criminal) into a perpetrator of cyberwar (generally considered to be a major criminal).
Just as nation states can deliver a destructive wiper in the guise of criminals using a defective ransomware (evading the accusation of cyberwar), so can they deliver various activities (fake information, social disruption) disguised as hacktivists (again evading any charge of indulging in cyberwar).
It is worth noting the reported comment from Putin at the time of Russian interference in the 2016 election. Many in the US were calling Russian activity an act of cyberwar; but Putin supposedly retorted, “They got up today and read that something is going on internationally. If they are feeling patriotic, they will start contributing, as they believe, to the justified fight against those speaking ill of Russia.”
Putin was effectively saying, ‘This was not the Russian state but Russian hacktivists and therefore not an act of cyberwar (since it caused neither death nor damage to critical infrastructure).’
The proximity of hacktivism and cyberwar may also largely underlie the Red Cross warning of October 4, 2023: “Civilian hackers risk exposing themselves, and people close to them, to military operations… This means that the computers and digital infrastructure they use risk becoming military objectives, meaning that they are at risk of being attacked. Likewise, in the adversary’s eyes, and depending where the hacker sits, they may be attacked – by bullet, missile, or cyber operation.”
What may start as hacktivism can easily escalate into cyberwar, which could lead to further kinetic warfare beyond the immediate confines of the existing conflict. The hacktivist can no longer be viewed as a simple innocent indulging in civil disobedience.
Hacktivism and cyber defenders
Fifteen or more years ago, hacktivism was largely confined to DDoS attacks and political or social messages left on defaced websites. It might have been technically illegal but was considered more an annoyance than a dangerous activity. It was not necessarily something that required millions of dollars spent in defense, but was primarily something that should be considered in risk analysis by companies operating in areas that might engender social or ethical objections.
A watershed may be traced to the DDoS attacks by the Syrian Electronic Army (SEA) in 2012 against major US banks. The group was not known to be state affiliated. The damage was not physical but economic, by disrupting business. SEA claimed the attacks were in retaliation for US support for the rebels in the Syrian Civil War. Thus far the group could be considered hacktivists; but within a couple of years its activities were indistinguishable from any standard hacking gang (including, allegedly, an attack against the water distribution system of Haifa in Israel).
The propensity for hacktivism to expand beyond the confines of the civil disobedience description of activism raises a significant question: can cyber defenders continue to downplay the threat from hacktivists?
Bischoping believes there could be a difference in the defense against ethical hackers, but that hacktivists should be considered the same as malicious hackers. “The focus of security defenders when it comes to ethical hackers,” she said, “is to ensure that any research is being done in accordance with acceptable use and responsible disclosure policies, and preferably coordinated with security teams to reduce alert fatigue.”
Apart from this, the general opinion is that all hackers should be deterred equally. “From a cybersecurity standpoint, defenses should be universal. However,” she adds, “understanding the motivations can help in predicting potential targets or the nature of the attack.”
Here the risk analysis of potential attackers comes into play. However: “Defenders generally don’t have the luxury of knowing motive. We look on the outside, but we cannot look on their heart,” comments Leong. These days, it is difficult to distinguish a criminal gang from a nation state (it could even be nation state hackers moonlighting as criminals). Even with suspected hacktivists, “Our role as defenders tends to be limited to stopping or limiting the success of their attacks, given we don’t know their motives.”
But he does suggest that prior warnings from hacktivists could have a beneficial effect. “This should prompt our internal moral compass so that we do due diligence in investigating the claims, and if our organization is indeed guilty, then we need to take action.”
Understanding hacktivism may seem an academic exercise since a hacktivist uses hacking and is at least legally a criminal under the CFAA. All criminals should be kept out of or cleared from corporate networks.
But should the type of criminal be relevant to the defender? Opinions differ. Malcolm Harkins, chief security and trust officer at Epiphany Systems, has told SecurityWeek, “Running security is managing exploitability. If I over-focus on the nature of the perpetrator, I’m wasting time, because I have no ability to affect the actor.”
John Hultquist, VP of intelligence analysis at Mandiant, says, “It absolutely matters. You can’t do risk assessments if you don’t care who the attacker is… We sometimes forget to ask, who are the bad guys and what capabilities do they have – when will they attack and when will they not attack? Am I even at risk of these people?”
We may still have the luxury of distinguishing between different types of attacker, but frankly we do not have the luxury of treating them differently. The age of hacking innocence has gone. We may still have some lingering sympathy for the social activist within the hacktivist, but as Miguel Clarke, cybersecurity and GRC evangelist at Armor Defense (and former supervisory special agent at the FBI) points out, there are better ways to protest.
“You can have a personal blog, you can run a YouTube video blog, you can podcast,” he comments. “All of these can maximize the advantages of cyber without breaking the laws of cyber.” He believes that defenders should defend, while the courts should be charged with navigating the flexibility of the legal system, allowing ‘intent’ to possibly mitigate punishment where applicable.
In short, with legal alternatives, all hacktivists should be treated as if they are malicious hackers because the distance between hacking/activism, malevolence, and damage is too small and too vague.