Anonymous, the mercurial “hactivist” collective behind a series of pro-WikiLeaks cyber protests, has declared war on the British Government following the arrest of five people in the UK.
In a statement posted online the loosely affiliated organisation has called on supporters to hit government websites with distributed denial of service (DDoS) attacks, a relatively simple way of flooding a target website with so many requests for information that it is forced to shut down.
The tactic has been used by Anonymous activists with remarkable success over the past two months to temporarily disable financial and government websites that have been critical of Wikileaks in the wake of the publication of thousands of secret US embassy cables.
Recent victims have included government and law enforcement websites in Tunisia, Egypt, Zimbabwe and the Netherlands.
The online call to arms against the UK raises the spectre of co-ordinated cyber attacks on government online infrastructure and comes after police in both Britain and the United States have ramped up their investigations into the cyber protests.
Last week the Metropolitan Police arrested five people under the Computer Misuse Act in connection with pro-WikiLeaks Anonymous attacks. The five men, aged between 15 and 26, have been bailed pending further enquiries.
In the States FBI agents conducted 40 raids on suspected Anonymous supporters over the weekend as part of an ongoing investigation into recent DDoS attacks against Mastercard, Visa, PayPal and Amazon, all of whom have refused services to WikiLeaks following the cable leak.
Anonymous’ statement, which describes itself as "a serious declaration of war from yourself, the UK government, to us, Anonymous, the people” is also a defence of the use of DDoS attacks which it regards as an online equivalent of direct action as a form of protest.
“Arresting somebody for taking part in a DDoS attack is exactly like arresting somebody for attending a peaceful demonstration in their hometown,” the statement read. “Anonymous believes this right to peacefully protest is one of the fundamental pillars of any democracy and should not be restricted in any way. Moreover, we have noted that similar attacks have also been carried out against Wikileaks itself, yet so far, nobody has been arrested in connection with these attacks, nor are there even any signs of an investigation into this issue at all.”
Critics say DDoS attacks are simply a form of online vandalism that can cause major financial damage.
The threat has been judged serious enough for GovCertUK, the information security agency, to issue an advisory urging government websites to take precautions against DDoS attacks. “In light of this threat we would advise you to be vigilant against any new signs of DDoS activity you may encounter, and to notify us if such activity occurs,” the advisory warns.
In recent months the Government’s cyber security has been criticised in some quarters for being ill-prepared to deal with both hacking and mass cyber protests like DDoS.
In November a lone hacker from Romania successfully broke into the Royal Navy’s recruitment website and published details of current and former defence staff, including a former Royal Navy head.
Last year the Coalition also declined requests to upgrade government computers from using Internet Explorer 6, a decade old internet browser that has been abandoned by the French and German governments because of concerns over patches in its security.
Analysts say UK Government websites, which are not used to handling large spikes in traffic, could be vulnerable to DDoS attacks. Unlike hacking, which involves experts breaking into websites through vulnerabilities in their security system, DDoS attacks simply flood a network to breaking point making them difficult to mitigate against without specific protection measures.
“A website like Ticketmaster would be hard to hit with a DDoS because it is used to dealing with sudden influxes of traffic, for example when they put Take That tickets on sale,” explains Rik Ferguson, a cyber security expert at Trend Micro. “Government website are not built for that. To take down something like Amazon, which Anonymous tried and failed to do, you would need thousands of machines. But to flood a small or medium business, however, it can take as little as one hundred.”