Cascades: The Anonymous Hack of HBGary

In January 2011, Aaron Barr, the CEO of HBGary Federal, a company that sold digital security services to the federal government, thought he had discovered a goldmine. Less than two months later, his life, his company, and his reputation lay in shambles. “Cascades,” a three-part case study produced by New America’s Open Technology Institute (OTI), tells the story of what transpired in between. Part A details how, amid substantial financial difficulty, Barr and his firm attempted to uncover the leaders of Anonymous, a prominent hacktivist collective. Part B explores how Anonymous retaliated by exploiting numerous gaps in HBGary’s IT defenses to release tens of thousands of the firm’s e-mails; deface the company’s website; and post online Barr’s social security number, telephone number, and home address. Part C concludes by detailing the aftermath of the attack and examining its implications for hacktivism, digital security, and public policy.

 In narrating this cascading crisis, the case—which draws on interviews with academic experts, journalists, and policymakers—aims to animate student discussion around several core questions. Chiefly: Why is the Internet so difficult to secure? How can technological and human/cultural flaws “cascade” to create crises? And what can society as a whole and policymakers specifically do to mitigate some of these risks.

More broadly, the narrative attempts to fill a gap in U.S. public policy schools’ curricula. Over the last decade, threats to online personal safety—ranging from stolen credit card information to compromised social media accounts—have become frighteningly commonplace. At the same time, many high-profile organizations—including Sony, Chick-fil-A, and the U.S. Postal Service—have recently experienced serious data breaches.[1] Nonetheless, the U.S. government is just beginning to grasp the gravity of online threats and how to respond to them, and U.S. public policy schools are lagging behind in educating future leaders about how to prepare for and deal with these risks.

“Cascades” is part of a New America strategy, titled “Bridging the Tech-Policy Divide,” to create a curriculum focused on the intersection of information technology and public policy that can be federated at schools across the country. The first case study in this curriculum, Riding the Wave, detailed how Congressman Seth Moulton’s 2014 campaign leveraged social media to advance its efforts; in other words, an example of how information technology enabled an organization to achieve its goals. This case, by contrast, illuminates how modern technology can just as easily facilitate an organization’s downfall. The takeaway is that information technology is powerful but—like most innovations—can be used for enormous good or evil. Future policy leaders must study this tool so that they can ensure that its positive qualities hold sway.

Download the Teaching Note for this case study

[1] “Data Breach Tracker: All The Major Companies That Have Been Hacked,” Money, October 30, 2014, available at http://time.com/money/3528487/data-breach-identity-theft-jp-morgan-kmart-staples/ (accessed on January 2, 2016).