How Should Management Deal With “Anonymous”?
Summing Up When it comes to the leaky Web, Jim Heskett's readers say assume the worst and act accordingly. (New forum on February 3.)
The title of this wrap-up and the one that accompanied this month's original column basically just deletes "Wikileaks." The original title was my mistake. The intent was not to direct attention to Wikileaks in a manner that Dan Quizal rightly referred to as a "20th Century view," but to ask how, if at all, organizations can or should be defended against the response from Anonymous? Its actions, triggered by the attacks on Wikileaks, hinted at a future of everything from Internet mischief (a la Anonymous) to cyber warfare, with business as potential collateral or intended victim. (Ironically, in the meantime we have learned that the "worm" that attacked Iran's nuclear centrifuges and sent them whirling out of control and into self-destruction in all likelihood was carefully engineered and surgically directed at the centrifuges, suggesting the possible. Next time the target may not be Iran.)
Getting back to my misstated question, none of you aimed your criticism at the technology, even lauding it, as Mark O'Connor did, as the "great equalizer." In Bev Stehn's words, "What is to be 'managed,' the tools of communication or those individuals using the tools?" Rather the problem for many of you is management itself, ranging from lack of transparency (Shantha Yahanpath. Bruce Watson) to a failure to support "whistle blowing" (Ratnaja Gogula), as well as individual failure to exercise care. As C. J. Cullinane said, "maybe the only thing that can help is common sense and learning to keep our mouths, and e-mails, shut."
The most prevalent attitude about dealing with a leaky Internet was to assume the worst and act accordingly. In Mike Schorah's words, assume that "A world where everyone knows exactly what everyone else is doing does seem to be where we're heading." Antidotes to these challenges are reasonably clear: In addition to greater transparency and support for "whistle blowers," several of you suggested the possibility of government protection. As Fidel Arcenas put it "government must be able to monitor and regulate Internet activities that adversely affect people's safety and welfare." Few were convinced that technology itself would provide more than temporary defenses.
The use of the Internet for spying was also regarded as inevitable. In addition to care in the use of the Internet, Gerald Nanninga pointed out that the best defense might well be a carefully-crafted strategy that competitors can't replicate even if they are familiar with it . Another creative proposal, leaking "outright disinformation," was suggested by M. P. Campbell.
This still leaves us with the question of the long-term implications of cyber-warfare for business. Unlike nuclear threats, at least for now they don't represent real threats to life. But for that reason, they are much more likely to be employed than nuclear weapons. What happened in Iran raises real questions about the implications of criminal or terrorist use of cyber weapons to destroy business assets. Should management be concerned about them? What, if anything, can or should be done about it at the organizational level? And finally, did any of you other than David Physick pick up on the irony that our discussion of transparency, Wikileaks, and Anonymous was joined by nearly 20 percent of respondents under the cover of "anonymous"? What do they have to hide? What do you think?
You've heard the advice that writing down sensitive things runs the risk of discovery in a legal case. The wise don't do it. But this can be a costly practice, given our faulty memories. And in the age of WikiLeaks and the Internet, when every "secret" seemingly becomes public before long, the new advice is to avoid trying to keep information secret.
Recently we were reminded about the insecurity of information stored and processed on Internet-based systems, a series of online reprisals against the Swedish government, Amazon, the Dutch police, Sarah Palin, MasterCard, Joe Lieberman, PayPal, and Visa. The connection? Individuals and organizations speaking out against and refusing service to WikiLeaks. The attacker and the cause? A crowd (I don't know what else to call it, since it is not an organized group) that calls itself Anonymous and that was spawned by ideas exchanged on an Internet message board, 4chan, in defense of Internet freedom. The weapon? According to the Financial Times, "Anonymous encouraged 'hactivists' to download a simple tool-known as the 'low orbit ion cannon'-that allows their computers to be used to inundate the targeted website with requests and bring it down."
What has happened to Internet security, you might ask? Apparently it still exists to some degree for one third of the organizations that have taken precautions to protect themselves. It works, too, for individuals who are careful about changing passwords regularly (so that, if you're like me, you can't even remember your own password from time to time). But user names, passwords, and Internet addresses have been pilfered from sites like Gawker, reportedly giving the hackers access to planned web site changes and advertising strategy.
So the possibilities of damage are endless, ranging from random (at least not formally organized) theft by amateur hackers, organized theft by criminals, and efforts by international terrorists to target and shut down, or threaten to shut down, everything from bank accounts to nuclear processing facilities.
There has been an immediate call for risk management plans in those business and governmental organizations that don't already have them. But let's assume that such plans only deter the amateurs and criminals for fleeting periods of time and that in fact it becomes impossible to hide or otherwise keep information confidential.
What implications does this have for the management of a medium- to large-size organization that has become wedded to the economies and convenience of the Internet? For example, assuming that email even exists five years from now, will we be able to use it for business purposes? Will large data files have to be "disconnected" from networks so that their security can be preserved, with the attendant loss of connectivity with other files? Will the ultimate irony occur that the Internet becomes essentially useless to managers for strategic and other important matters?
What, if anything, can or should be done to combat Internet theft and terrorism? How will Anonymous and friends affect management in the future? What do you think?
Tim Bradshaw, "Anonymous cyberwarriers stun experts," Financial Times, December 12, 2010, p. 3.