America’s critical computer networks are so vulnerable to attack that it should deter U.S. leaders from going to war with other nations, a former top U.S. cybersecurity official said Monday.

Richard Clarke, a top adviser to three presidents, joined a number of U.S. military and civilian experts in offering a dire assessment of America’s cybersecurity at a conference, saying the country simply can’t protect its critical networks.

Clarke said if he was advising the president he would warn against attacking other countries because so many of them — includingChina, North Korea, Iran and Russia — could retaliate by launching devastating cyberattacks that could destroy power grids, banking networks or transportation systems.

The U.S. military, he said, is entirely dependent on computer systems and could end up in a future conflict in which troops trot out onto a battlefield “and nothing works.”

Clarke said a good national security adviser would tell the president that the U.S. might be able to blow up a nuclear plant somewhere, or a terrorist training center somewhere, but a number of countries could strike back with a cyberattack and “the entire us economic system could be crashed in retaliation … because we can’t defend it today.”

“I really don’t know to what extent the weapon systems that have been developed over the last 10 years have been penetrated, to what extent the chips are compromised, to what extent the code is compromised,” Clarke said. “I can’t assure you that as you go to war with a cybersecurity-conscious, cybersecurity-capable enemy that any of our stuff is going to work.”

Clarke, along with Gen. Keith Alexander, who heads both the National Security Agency and U.S. Cyber Command, told the conference crowd that the U.S. needs to do a better job at eliminating network vulnerabilities and more aggressively seek out malware or viruses in American corporate, military and government systems.

But Clarke was more strident about pushing for broader government regulations to enforce such improvements, despite political reluctance. The problems, he said, will not be fixed unless the government gets more involved.

He added that the U.S. also needs to make it clear to countries such as China that efforts to use computer-based attacks to steal high-tech American data will be punished.

In a forceful and detailed public report last week. U.S. intelligence officials accused China and Russia of systematically stealing sensitive U.S. economic information and technologies for their own national economic gain.

The report called on the U.S. to confront China and Russia in a broad diplomatic push to combat cyberattacks that are on the rise and which represent a “persistent threat to U.S. economic security.”

On Monday, Clarke said that until there are real consequences for the massive espionage, countries like China will still keep stealing.

Co-ordinated by the FBI, the raids were carried out in the US, UK and six other countries.

The money was made by selling software that claimed to find security risks on PCs and then asked for cash to fix the non-existent problems.

The raids seized 40 computers used to do fake scans and host webpages that tricked people into using the software.

Account closed

About one million people are thought to have installed the fake security software, also known as scareware, and handed over up to $129 for their copy. Anyone who did not pay but had downloaded the code was bombarded with pop-ups warning them about the supposed security issues.

Raids conducted in Latvia as part of the attack on the gang allowed police to gain control of five bank accounts used to funnel cash to the group’s ringleaders.

Although no arrests are believed to have been made during the raids, the FBI said the computers seized would be analysed and its investigation would continue.

The raids on the gang were part of an international effort dubbed Operation Trident Tribunal. In total, raids in 12 nations were carried out to thwart two separate gangs peddling scareware.

The second gang used booby-trapped adverts to trick victims. Raids by Latvian police on this gang led to the arrest of Peteris Sahurovs and Marina Maslobojeva who are alleged to be its operators.

According to the FBI, the pair worked their scam by pretending to be an advertising agency that wanted to put ads on the website of the Minneapolis Star Tribune newspaper.

Once the ads started running, the pair are alleged to have changed them to install fake security software on victims’ machines that mimicked infection by a virus. On payment of a fee the so-called infection was cured. Those that did not pay found their machine was unusable until they handed over cash.

This ruse is believed to have generated a return of about $2m.

“Scareware is just another tactic that cyber criminals are using to take money from citizens and businesses around the world,” said assistant director Gordon Snow of the FBI’s Cyber Division in a statement.

If hacker collective Anonymous dominated the headlines the first half of this year, the second half may belong to upstart Lulz Security, whose brazen and prolific hacking is unprecedented.

In the past 30 days its targets have run the gamut from PBS to Sony to the CIA, and LulzSec has recently set its sights on Anonymous itself. So what makes LulzSec different from Anonymous, and from more typical cyber criminals and spies?

Without looking inside their heads, we can only speculate about the LulzSec hackers’ motivations. But there are a few things we can deduce.

They don’t seem to be motivated by money, as hackers increasingly seem to be. Hackers who seek to profit often do so by stealing credit card numbers and selling them on the black market, or through extortion by threatening gambling and other sites with denial of service attacks unless they pay for protection. LulzSec are also clearly not spies like the likely state-sponsored hackers who last month stole cryptographic keys from security firm RSA then used them to pilfer data from defense contractor Lockheed Martin.

If they’re not cyber thieves or spies, that seems to leave one option: hacktivism, or politically motivated hacking.

As of late, Anonymous has clearly fit that description, having come to mainstream prominence after it attacked PayPal, Visa, Amazon, and other companies that cut off service to WikiLeaks following the release of State Department cables late last year. Since then, Anonymous has targeted Iranian and Tunisian government websites, attacked Sony’s website in retaliation for a lawsuit against PS3 modder George Hotz, and most recently are seeking Federal Reserve Chairman Ben Bernanke’s resignation. But it wasn’t always this way.

The Emergence of Anonymous

Anonymous grew out of the riotous and rollicking online forum 4chan, from which many of the Internet’s memes—from lolcats to Chocolate Rain—have emerged. If you don’t enter your name when you post a message to 4chan (and no one ever does), the post is simply attributed to the default name, “Anonymous.” The fast-paced conversation on the site leads to an emergent mind collectively known as Anonymous.

This collective mind, and especially that of the /b/ message board, tends to have a jovially nihilistic worldview, seeking not much more than amusement, an escape from boredom, often at the expense of others. Asked why they do something, an “Anon” will likely reply that they “do it for the lulz,” which is a corruption of LOL—”laughing out loud.” They love pranks, evidenced by the Rickrolling phenomenon, which was born on /b/.

Like the Tea Party or Al Qaeda, Anonymous is a “starfish” organization. This means that while there may be some titular heads, any number of cells or individuals can operate under its banner. Anonymous is in this sense a large, amorphous, and disparate group of persons around the world—from novice “script kiddies” to expert hackers—who lend their talents and computing power to consensus schemes hatched on 4chan or other online hangouts.

These often include raiding and causing havoc among the unsuspecting denizens of other online forums, or flooding YouTube with porn disguised as children’s videos. Increasingly, however, Anonymous’ campaigns have tended to eschew the “lulzy” for the self-righteously political, culminating in this week’s preoccupation with the Fed.

“We Do It for the Lulz”

LulzSec (short for “Lulz Security”), as its name implies, seems to be a throwback to the original spirit of doing things simply “for the lulz.” Some characterize this attitude as anarchistic, but it could also be seen as existentialist or nihilistic. Faced with the reality of an absurd world without intrinsic meaning, some choose to approach life as “performance art” to give it meaning. LulzSec’s actions seem to fit this pattern.

Instead of preachy manifestos, they issue comical press releases. One of their first high-profile breaches was against PBS.org where they planted a fake news story reporting that Biggie Smalls and Tupac Shakur where alive and well and living in New Zealand.

The group’s active Twitter feed, decorated with Nyan cat and their monocled mascot, is often a stream of absurdist or surreal humor, with tweets such as, “You are a peon and our Freemason lizard rebellion will propel us towards binary stars of yore, you sweaty caterpillar farm,” and, “Mankind should tremble as the SSH key to your neuron load balancers are used as a pathway to the chemical exhilaration of entertainment.”

The group’s website plays the theme to The Love Boat and invites visitors to sing along to modified lyrics about “The Lulz Boat.” Pressing the mute button to stop the music only increases its volume.

They have even set up a seemingly untraceable telephone number where they sometimes take calls, and have a voicemail message where the group’s ostensible leader greets callers in a fake French accent saying: “You have reached the whistle box of Pierre Dubois. We are not present right now because we are busy ruining your Internet. Leave a message, and we will get back to you whenever we can.”

From all indications, their motivations are cheeky thrills, not fortune. In a failed marketing stunt last week, computer security firm Black & Berg challenged hackers to modify the image on their homepage if they could, and offered a $10,000 prize and a job to anyone able to do so. LulzSec did it in no time, posting their monocled mascot and writing “DONE, THAT WAS EASY. KEEP YOUR MONEY WE DO IT FOR THE LULZ.”

Why So Serious?

Absurdist performance art can be destructive, however. As some have pointed out, the literary analogy that must be made is to the character of the Joker, played by Heath Ledger in The Dark Knight). His only motivation in the film seems to be pushing Batman’s buttons. This is something the caped crusader can’t understand, and in a pivotal scene Batman’s trusty butler Alfred, played by Michael Caine, explains:

Alfred: A long time ago, I was in Burma, my friends and I were working for the local government. They were trying to buy the loyalty of tribal leaders by bribing them with precious stones. But their caravans were being raided in a forest north of Rangoon by a bandit. So we went looking for the stones. But in six months, we never found anyone who traded with him. One day I saw a child playing with a ruby the size of a tangerine. The bandit had been throwing them away.

Bruce Wayne: Then why steal them?

Alfred: Because he thought it was good sport. Because some men aren’t looking for anything logical, like money. They can’t be bought, bullied, reasoned or negotiated with. Some men just want to watch the world burn.

This raises the question, who is the rule-bound and moralistic Batman in the analogy? Is it the corporate and governmental authorities LulzSec has attacked? Or might it even be Anonymous itself, which LulzSec has begun to antagonize.

Adrian Chen, a Gawker writer who’s been following the group and raising their heckles recently tweeted, “I want to know how much @lulzsec is making off all this. Don’t really buy that it’s all for the lulzs.”

And one of LulzSec’s victims, Karim Hijazi of security startup Unveillance, has claimed the group tried to extort him. LulzSec denies it, telling Hijazi in a statement that they were “simply going to pressure you into a position where you could be willing to give us money for our silence, and then expose you publicly.”

“Though it is clear that Anon’s operations have been politically motivated, I don’t think that LulzSec’s motivations are as simple as just causing chaos,” says University of Utah cyberconflict researcher Sean Lawson. “I think there’s more to it than that.”

One of LulzSec’s motives, Lawson says, is pointing out hypocrisy by government and corporate actors. For example, LulzSec this week broke into the Senate’s website and published administrative account information, asking if that was considered an Act of War as the Pentagon had recently suggested such breaches would be.

“With the Senate.gov hack and their mocking response, they are clearly making a statement which says that such threats by the U.S. are ridiculous and hypocritical when government systems are so poorly protected,” Lawson says. “In the case of their specific hacks of white-hat, cybersecurity industry players like Unveillance, I think they are saying, ‘You’re not as good as you think you are; you’re failing your customers and have been selling bogus solutions.’”

Endgame

Whatever their motivation, their recent attacks on FBI affiliates, the Senate, and the CIA show LulzSec is increasingly like the fearless honey badger who doesn’t give a damn. They are not only in the sights of the government, but now in Anonymous’ as well, after the group targeted 4chan and some of the Anons’ favorite video game sites.

Unsurprisingly, LulzSec downplays the situation via Twitter: “Saying we’re attacking Anonymous because we taunted /b/ is like saying we’re going to war with America because we stomped on a cheeseburger.”

As we see in the Joker, someone so seemingly reckless and with apparently nothing to lose makes for a formidable opponent. Later in The Dark Knight, there is this exchange between Alfred and Bruce Wayne:

Bruce Wayne: The bandit, in the forest in Burma, did you catch him?

Alfred: Yes.

Bruce Wayne: How?

Alfred: We burned the forest down.

Let’s hope it doesn’t come to that online.

Responding to a recent report from the North Atlantic Treaty Organization condemning Anonymous, the online “hacktivist” group has issued a public response warning the global organization not to challenge it.

Claiming that the NATO report singled it out as a threat to “government and the people,” Anonymous defended some of its recent actions in the name of freedom and dissent. In its message (Google cached version), it also asserted that NATO fears the group not because it’s a “threat to society,” but because it’s a “threat to the established hierarchy.”

Issued last month by Lord Joplin, general rapporteur of NATO, the report warned member nations about the rising threat of “hacktivism,” or carrying out cyberattacks for political purposes. Singling out Anonymous, NATO described several of the group’s most recent actions, including the distributed denial-of-service attacks against MasterCard, Visa, PayPal, Amazon, and others that had cut off services for WikiLeaks.

Noting that Anonymous has become more sophisticated, the NATO report cautioned that it could hack into sensitive government, military, and corporate information and described a strong response against the group.

“Today, the ad hoc international group of hackers and activists is said to have thousands of operatives and has no set rules or membership,” said the report. “It remains to be seen how much time Anonymous has for pursuing such paths. The longer these attacks persist the more likely countermeasures will be developed, implemented, the groups will be infiltrated and perpetrators persecuted.”

In its response, Anonymous tried to soften its stance in parts by saying that it doesn’t want to threaten anyone’s way of life or terrorize any nation. But it made clear its reaction to NATO’s report.

“Finally, do not make the mistake of challenging Anonymous,” warned Anonymous in its message. “Do not make the mistake of believing you can behead a headless snake. If you slice off one head of Hydra, ten more heads will grow in its place. If you cut down one Anon, ten more will join us purely out of anger at your trampling of dissent.”

NATO’s report also provided a larger look into the growing danger of cyberattacks and how governments should respond to them. In the report, Joplin asked the question of how NATO should react if one of its member nations was the victim of a cyberattack.

“Can one invoke Article 5 of the Washington Treaty after a cyber attack?” asked the report. “And what response mechanisms should the Alliance employ against the attacker? Should the retaliation be limited to cyber means only, or should conventional military strikes also be considered?

Both the U.S. and the U.K. have recently made their own positions clear–that they consider cyberwarfare another form of warfare, and one potentially subject to a response using conventional military weapons.

Yet another cyber attack on a game-oriented server has apparently pulled the personal info of thousands of people along with the defacement of a web site designed to promote, ironically, a game that has hacking as one of its themes. KrebsOnSecurity.com reports that the official web site for Deus Ex: Human Revolution was hacked on Wednesday along with the Eidos.com web site. The sites also both displayed a message from the hackers (shown above).

According to the story, the hacked sites not only got defaced but the cyber attack also resulted in stolen info from 80,000 people off the Deus Ex web site as well as 6,000 resumes from the Eidos site. The report also seems to imply that the hackers have stolen the source code for the upcoming Deus Ex game but that seems to be unlikely. So far there’s been no official word from Eidos’s parent company Square Enix about this cyber attack. As far as the hackers themselves, the story suggests that they are a splinter group from the huge hacker organization Anonymous.

Of course, all of this activity comes in the wake of the cyber attacks on Sony’s Playstation Network that caused the company to shut down the console game’s online servers on April 20. The attack also caused the shut down of Sony Online Entertainment’s MMO servers on May 2. Personal info from tens of millions of users from both services were exposed in the cyber attack. Sony has blamed Anonymous for the attack but the group has repeatedly denied any involvement.

Playstation 3 console game players who have being waiting for the Playstation Network online service to be restored may be waiting much longer than originally anticipated. A report on Bloomberg claims that Sony is now saying that the online network, which has been down for nearly three weeks, won’t be fully restored before the end of May.

The report uses a Japanese Sony spokesperson, Shigenori Yoshida, as its source, saying that the company “is uncertain when it can resume the services” to the Playstation Network along with the Qriocity online music services. The report adds that Sony is still putting in an improved security system for the network which Sony shut down on April 20 after a cyber attacks by hackers that exposed the personal info of tens of millions of its users.

Sony has previously said that at least some of the Playstation Network’s services would come back online by the end of last week. However on Friday it backed away from that target relaunch date, with a spokesperson saying that Sony was “still working to confirm the security of the network infrastructure, as well as working with a variety of outside entities to confirm with them of the security of the system.” Sony has blamed the hacker group Anonymous for the cyber attacks that shut down both the Playstation Network and the MMO servers of Sony Online Entertainment. While the official line from Anonymous has been to deny causing the attacks, others believe that members of the group were indeed involved in some way.