Attack on Sentencing Commission Website Exposes Weak Defenses

Privacy and data law firm practitioners said the January 26 attack on the U.S. Sentencing Commission’s website fit with a pattern of assaults intended on shaming the government by conveying political messages in part through exposing embarrassing weaknesses in federal cyber defenses.

The “hacktivist” group Anonymous claimed responsibility for hacking and defacing the commission’s website, and threatening to release sensitive information unless federal sentencing guidelines were reformed.

Anonymous said it hacked the website in retaliation for the death of Aaron Swartz, the 26-year-old entrepreneur and political activist who killed himself earlier this month. The group said it hacked the commission’s website because of its “symbolic” relation to the case.

If convicted, Swartz faced a maximum sentence of more than 30 years, although prosecutors offered him a deal that would have kept him behind bars for six months. In addition to a statement, Anonymous posted nine encrypted files, named after each of the Supreme Court justices, which allegedly contain sensitive information from numerous websites.

Anonymous did not provide detail about what’s in the files, but did say that its “contents are various and we won’t ruin the speculation by revealing them. Suffice it to say, everyone has secrets, and some things are not meant to be public. At a regular interval commencing today, we will choose one media outlet and supply them with heavily redacted partial contents of the file.”

Privacy and data law firm practitioners said the attack was part of a growing issue for government agencies.

“It’s a psychological ploy,” said Mary Ellen Callahan, chair of Jenner & Block’s privacy and information governance practice and former chief privacy officer at the Department of Homeland Security. “Anonymous uses embarrassment to convey their political message, and they do so quite effectively.”

Callahan said that the Sentencing Commission’s site might have been an easier target than other agency sites like the Department of Justice because it serves as a billboard site that provides public information. “Regardless of the vehicle Anonymous uses, it’s about publicity and topics important to them, like sentencing guidelines,” she said.

David Fagan, a partner with Covington & Burling, said in an interview that it’s often difficult to identify the perpetrators because of the loose affiliation of the group and the varying levels they utilize to conceal their tracks.

“Tracking cyber criminals is not easy,” said Fagan, who works with Covington’s global privacy and data security practice. “If it were easy, there would be many more prosecutions. U.S. law enforcement are pretty sophisticated but a lot of their ability to detect who is doing something depends on how sophisticated the perpetrators are and how clever they are at covering their tracks.”

Crowell & Moring partner David Bodenheimer said that the latest attack differed from last year’s assault on the Department of Justice website, in that it was “not simply a denial of service, but resulted in a compromise to the integrity of the website.”

The commission’s site remained down as of Monday afternoon. Commission spokeswoman Jeanne Doherty said she was unsure when the site would be up and running. The commission and the FBI acknowledged the attack in written statements. Neither provided many details.

“We were aware as soon as it happened and are handling it as a criminal investigation,” Richard McFeely, executive assistant director of the criminal, cyber, response, and services branch of the FBI, said in a written statement. “We are always concerned when someone illegally accesses another person’s or government agency’s network.”

Bodenheimer said that the government shouldn’t write off Anonymous’ threat as empty, given the increasing number of cyber attacks being waged. “It’s all part of a Wild West on the Internet as the attacks are coming from multiple directions, nation states, hacktivists and organized crime syndicates,” he said. “Some of the damage that can be done range from minor to taking over a power grid. It all combines to illustrate the vulnerability of the systems and how far we need to go in hardening cyber defenses.”

 

Matthew Huisman is a reporter for The National Law Journal, a Legal affiliate based in New York.