Understanding Politically Motivated Cyberattacks

As Wikileaks pushes the subject of politically motivated cyberattacks into international headlines, a year-long study funded by the Open Society Foundations highlights the growing threat of cyberattacks against independent media and human rights websites. The research finds that targets can do little to prevent such attacks, and should focus instead on mitigating harm.

But within the evolving structure of the Internet, independent media and human rights sites face a critical dilemma: Should they weather the storm on the edge of the network, or risk censorship and data loss by seeking the protection of powerful intermediaries?

The Internet is a crucial tool for independent media and human rights organizations to communicate their message and their mission to the world, and to shed light on issues mainstream media would rather ignore. But the Internet also provides a new set of tools for those who would suppress speech: hacking attacks on an organization’s technical infrastructure such as Distributed Denial of Service, or DDoS attacks.

New research sponsored by the Open Society Foundations seeks both to understand the ways in which DDoS attacks are being used to suppress speech, and to make initial recommendations to independent media and human rights organizations to fend off such attacks. The resulting report, Distributed Denial of Service Attacks Against Independent Media and Human Rights Sites, has now been published.

The Berkman Center for Internet & Society at Harvard University, which authored the research, monitored reports and spoke to activists and media practitioners in nine countries: China, Russia, Iran, Kazakhstan, Uzbekistan, Egypt, Tunisia, Vietnam, and Burma. They found that cyberattacks against independent media and human rights sites have been increasing for some years, and show no sign of abating.

DDoS attacks, which focus on generating web traffic that consumes scarce computing and bandwidth resources so that legitimate traffic cannot get through, are often accompanied by other attacks, such as defacement, intrusion and site hijacking. The researchers found that DDoS attacks appear to have no strong associations with particular political principles or motivations, and can affect a wide range of independent media and human rights targets. They found that attacks don’t need to be large in scale to bring such targets to a standstill for a considerable amount of time, and that many of the organizations they studied had inexperienced systems administrators and precarious hosting setups.

The Berkman report draws the uncomfortable conclusion that independent media and human rights practitioners can do little to prevent DDoS and other cyberattacks, and should instead focus on mitigating harm from attacks when they do occur. Mitigation tactics include providing backup sites on hosted services more resilient to network-based attacks, or static HTML versions of websites that are less vulnerable to application-based attacks than their interactive equivalents.

Although the report gives some starting points for smaller NGOs to begin planning ahead for DDoS attacks, it is clear that more guidance is needed, and the Information Program will now focus on ways to frame and target such guidance. The report makes several recommendations to human rights funders about ways to work with local communities and internet service providers (ISPs) in order to address the DDoS threat to free expression online.

Independent media and human rights websites are in a particularly vulnerable position in the context of the evolving Internet landscape. As the web has become increasingly more central to businesses around the world, technical and social structures that mitigate against DDoS and other cyberattacks have become concentrated at what the report dubs the “core” of the network: Tier 1 ISPs, large Tier 2 ISPs, giant hosting companies like Google and Amazon, and Content Distribution Networks like Akamai.

These structures—be they banks of redundant servers that can help filter or divert traffic floods, or trust-communities of experienced network and systems administrators who communicate and collaborate with one another to fight DDoS—are often unavailable to the human rights and independent media community, who tend to host with Tier 3 providers on the “edge” of the network. “Core” providers can be unattractive to independent media and human rights websites: “core” ISPs in many nations have close contact with national government, while the “hypergiant,” U.S.-owned providers such as Blogger and Amazon can expose independent media and human rights practitioners to data protection risks and intermediary censorship.

Such issues have enjoyed serious visibility recently thanks to Amazon’s decision to remove Wikileaks from its servers, ostensibly under pressure from a U.S. senator, while citing its terms-of-service policy. As Ethan Zuckerman, the lead author of the report, observes on his blog:

[When] Wikileaks came under sustained DDoS attack… the topic of DDoS as a form of censorship started receiving international media attention. As Anonymous activists have started using DDoS to call attention to PayPal, PostFinance, Visa and MasterCard’s decisions to cut off Wikileaks as a customer, DDoS has become the subject of a great deal of media attention and reader interest.

The research was commissioned and conducted before the decision by Amazon to suspend its service to Wikileaks and, as Zuckerman observes, “the suggestions we offer to organizations, network administrators and the broader activist community were designed primarily for the benefit of organizations that receive much less attention and Internet traffic than Wikileaks is currently experiencing.”

Nonetheless, it is true to say that Wikileaks has served to highlight the dilemma that is also faced by many independent media and human rights websites: do they remain on the edge of the network, and face greater risks from DDoS attacks, or do they move to core platforms to achieve DDoS resistance and give an organization which does not share their goals a potential veto over their content?