Arrests in Spain related to the Sony Playstation Network hacking case have computer users wondering whether the loosely organized Anonymous hacker coalition is weakened -- or merely irritated by being busted.
Officers with the Technological Investigation Brigade of the Spanish National Police arrested three people Friday as part of an investigation that began in October 2010. Using Websites and chat networks, police said, Anonymous hackers organized DDOS attacks against Spain's Ministry of Culture.
Who are These Guys?
Spanish police said the three people arrested in Barcelona, Alicante, and Valencia helped direct attacks on Websites for the Sony PlayStation Store, the bank BBVA, the Italian utility company ENEL, and the governments of Egypt, Algeria, Libya, Iran, Chile, Colombia and New Zealand. Authorities haven't released names of those arrested.
Did They Get the Right People? All of Them?
We can't know the answer to the first question, but the answer to the second is "Probably not." Anonymous and similar hacker networks have a loose, decentralized structure that attract people who enjoy the technical challenge of cybercrime or who feel obligated to bring down corporations or governments.
"Police may have found some of the hackers. But how many?" says Harvard Business School professor Benjamin Edelman. "And what stops another group from doing the same thing? For any company that has technically-capable adversaries with a bone to pick, Sony's experience is cause for concern."
"A hacktivist can be simply someone who looked at a news story," says Benjamin Wright, a Dallas attorney who teaches the law of data security and investigations for The SANS Institute. "There is a sense of political mission. Some people in the world feel very strongly about it ... It's a very, very fluid cultural phenomenon we've seen emerge. It's global and it's extremely hard to predict."
What Penalties can be Applied? Will They Go to Jail for a Long Time?
Maybe, Wright says. If prosecutors in many global jurisdictions pursue criminal charges against the hackers, "It could be possible for someone like this to be put away for quite a number of years," riding the international prison circuit from nation to nation.
According to a report in The New York Times, Spanish police confiscated at least one server that they say shows a link between the people who were arrested and various Anonymous attacks. "Forensic proof in cases like this can be challenging," Wright says, but both the law and the technology are evolving rapidly.
SANS Technology Institute President Stephen Northcutt had a more cynical view. "If they are convicted, Spain is not overly tough on computer crime, so they [could] spend about two years in prison and come out as famous security researchers," he says.
Will Hackers Leave Sony Alone?
Not likely, Edelman says. "So far hackers seem to have the upper hand. They've found a never-ending stream of weaknesses in Sony's systems, and at every turn they've been able to disrupt Sony's operations."
Sony's security shortfalls "were particularly egregious," he adds, suggesting that customers who were locked out of their accounts for weeks on end "should receive especially generous compensation."
What Should I Do Now?
Sony PSN customers -- and every other computer user -- should maintain vigilance against data and identity theft issues, Wright says. "You should always be on red alert for security issues," he says. "All of your data is subject to abuse at any time."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.