Is Anonymous trying to get a CEO jailed or fined?

The hacking group Anonymous hacked security contractor Stratfor, stealing its customer list including names, addresses, and credit card numbers, which they then used to go on a charity shopping spree.

My former boss’ wife asked him on Facebook what these guys want. And that brought a CISSP question to mind.

Perhaps the most fundamental of CISSP questions is why should CEOs and other C-level executives care about computer security, and why should computer security consultants work and report directly to those executives, rather than being part of the IT department?

The biggest answer lies in the 1991 Federal Sentencing Guidelines. If executives fail to do reasonable, prudent things to protect customer data–like put firewalls in place and encrypt databases–they personally face imprisonment or fines of up to $290 million. That’s enough to make even the most overpaid CEO take notice. That makes them willing to employ one or more security experts–presumably at least one of them would be a CISSP–to tell them how to protect their data, and to make the IT department listen to what these experts are saying.

And that should be a pretty convincing argument, I would think.

The question is whether this textbook answer actually works in the real world, and if it works selectively or consistently. I’m sure that Anonymous and many of the Occupy movement believe it only works selectively, if at all. When was the last time you heard of a sentence like that being handed down?

Perhaps Anonymous’ motivation for pointing out that the database wasn’t even encrypted is to signal to authorities that Stratfor didn’t meet its obligations under the law.

Calling Stratfor’s upper management to account for neglecting to encrypt its database of customer records won’t necessarily stop Anonymous immediately. But it will take away Anonymous’ claim of any moral high ground. It would erode whatever public support the group has, and likely cause some of the group’s participants to drop out.

While not likely that any members of Anonymous are CISSPs–such activity is a good way to lose your certification–undoubtedly many members of Anonymous are familiar with what’s on the exam and in the books.

I don’t know if that’s their motivation, but it’s interesting to think about.

If you found this post informative or helpful, please share it!