"If they don't listen to us, do they deserve it?" is the question being asked in a new study exploring modern attitudes surrounding the legitimacy of cybercriminal activities.
Today, the breadth and scope of cyberattacks are vast. Unsecured cloud servers and data theft has created a lucrative trade in carding forums, identity theft and online fraud are rampant; the mass sale of PII dumps is common; ransomware attacks on hospitals cause patient deaths, attacks launched against utilities prompt city-wide blackouts, and state-sponsored groups covertly conduct cyberespionage for political or financial gain.
Often, cyberattack attribution can be difficult -- but not always. So-called hacktivists, for example, may claim responsibility for website defacement and other kinds of attacks for political, religious, or social purposes.
Over the past decade, hacktivism became commonly associated with the Anonymous collective and LulzSec offshoot, which opportunistically aligned with various social campaigns over the years, extending protests from the sidewalk to the digital realm.
Website defacement, distributed denial-of-service (DDoS) attacks, and doxxing are common trajectories for these groups -- with members often anonymous and based worldwide -- and as using tools for these purposes became easily accessible and cheap, everyone from a black hat to a script kiddie could take advantage.
It is important to note, however, that the general public can become collateral damage in such attacks if their online accounts or data is compromised.
Despite 2020 -- and the overall year it has been -- hacktivism incidents, on the whole, appear to have waned. However, as shown when Anonymous' social media accounts suddenly gained millions of new followers during the Black Lives Matter protests sparked by the death of George Floyd, there may still be an undercurrent of support for such activities when social injustice is felt -- or the belief that voices are being ignored.
In a research paper, "If they don't listen to us, they deserve it": The effect of external efficacy and anger on the perceived legitimacy of hacking," published September 30 in the academic journal Group Processes & Intergroup Relations, researchers have examined how disappointment in social systems could change how we view, and whether or not we would support, hacktivism.
University of Kent academics Maria Heering, Giovanni Travaglino, Dominic Abrams, and Emily Goldsack conducted two studies in which participants were presented with "unfair" grading practices and the exploitation of their work in university and online platform settings.
They were then told that upper management was either willing or unwilling to investigate their complaint.
In the next part of the study, participants were told that the authority's website had been defaced and access was disrupted over the course of several days.
Including responses from 259 undergraduates and 225 non-students, respectively, the studies build upon a "social banditry" framework proposed by Travaglino in 2017, in which "despite acting illegally," the activities of 'bandits' that gave "otherwise voiceless masses with an opportunity to express their grievances" could secure the support of community members.
When an authority was considered unresponsive and their complaints were not taken seriously, participants reported anger -- and the perception of the legitimacy of the hacktivists' attacks increased, making them "more likely to legitimize the hackers' disruptive actions as a way to manifest their own anger against the organization."
"Support for hackers is a key expression of vicarious dissent because hackers' actions are highly visible and public, require expertise that laypeople do not generally have, and often (but not exclusively) may be aimed at government agencies, corporations and other powerful entities," the paper reads.
In other words, it may be that members of the general public that feel ignored and powerless in an unjust situation may be more inclined to support today's digital Robin Hood figures -- no matter other potential consequences, such as data loss or theft, operational disruption, business cost, or whether or not the criminal actions force an authority to rethink their position.
The team says that in the future, it may also be worth exploring how such 'bandits' may lose support, such as if their actions are seen as "selfish" rather than "getting back" at authority.
"While this study explored individuals' feelings of anger, there is certainly more to be explored in this research area," Heering commented. "For example, there might be important differences between the psychological determinations of individuals' support for humorous, relatively harmless forms of hacking, and more serious and dangerous ones."
Previous and related coverage
- Microsoft says it took down 94% of TrickBot's command and control servers
- EU sanctions Russia over 2015 German Parliament hack
- Toshiba targets $20bn quantum key, data encryption business with Verizon, BT partnerships
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0