As LulzSec disbands, threats remain

Hacktivist group LulzSec officially disbands, but the threats are far from over. Should organizations begin addressing the problem, or continue chasing the solution?

The hacker group Lulz Security may have announced its farewell, but a New York Times report noted on Sunday that the threat of attack is far from over.

Well, duh.

According to "security experts" quoted in the article, major cyberattacks -- such as on the websites of the C.I.A., U.S. Senate or global tech company Sony -- will continue as splinter groups and copycats try to emulate LulSec's "revolution."

Sound familiar? Trade the name "LulzSec" for "Al Qaeda" and you can accurately describe the American military campaign in Afghanistan: a ragtag group of government irritants that fragments and heads underground, creating an environment that can only be described as "Whack-a-Mole."

Most reports I've read about the LulzSec incidents demonstrate that there exists concern that a single actor could take down a system -- no organized group necessary.

But let's get real: has that ever not been the case?

It's clear to me that headlines screaming about the goose chase surrounding LulzSec or the larger group Anonymous hide two real stories:

  1. Many large security systems are not robust enough to withstand the efforts of a determined professional;
  2. Large companies don't want to admit this fact.

The first point is one of concern for any tech professional working at a major company; after all, security measures should be as robust as the data they're protecting is sensitive.

But the second point is provocative because, as we've seen thus far, most LulzSec attacks are somewhat politically motivated -- that is, they're always trying to make a point, and not just rifling through people's digital homes for the sake of it.

On more than one occasion, LulzSec has indicated post-hack that it was doing so only to draw attention to easily compromised security systems that supposedly protect sensitive data. Think about it: rarely is the data itself of concern. It's always about who was sleeping on the job.

While the media and law enforcement feed the frenzy to identify and capture the hackers, perhaps we ought to pause for a moment and consider the message: if you're willing to take ownership of private data in the 21st century, you're also implicitly agreeing to protect it. Too many organizations are willing to do the former without taking enough steps to satisfy the latter.