One of the first cyberattacks was an ‘art project’ that targeted the Pentagon
A grad student and an actor surprised the defense department
The first acts of hacktivism were so radical, participants weren’t even positive they were illegal.
Americans who used the internet for political protest in the 1990s argued they were exercising their constitutional rights — only instead of in-person nonviolent protest, it was all online. It was “electronic civil disobedience,” in other words, a virtual sit-in.
So said the founders the Electronic Disturbance Theater as they planned to attack the Pentagon’s website in 1998.
New Yorkers Stefan Wray, a 37-year-old grad student, and Ricardo Dominguez, a 39-year-old actor, were already experienced activists. They had picketed and distributed pamphlets for various causes. But as the tools of the internet became more apparent, they dreamed up a new form of resistance. And it started as an art project.
Wray and Dominguez founded the Electronic Disturbance Theater to draw attention to the struggle of the Zapatista rebels against the Mexican government. Besides the website of then-Mexican President Ernesto Zedillo, they started with a high-profile target: the Pentagon.
“As a person of the theater, I couldn’t have created a better script–the drama, the conflict,” said Dominguez.
In October 1998, the EDT launched perhaps the first electronic act against a target on American soil, according to Forbes. Using a Java applet called FloodNet, participants would overload Pentagon websites with denial-of-service attacks. Essentially, FloodNet multiplied requests every three seconds in order to overwhelm and crash target servers. The Pentagon’s web presence, they hoped, would falter.
It was technically legal. No felony had been committed; EDT had merely disrupted traffic, not altered data. The founders argued they had replicated constitutionally protected nonviolent civil protest, just online. “We are transferring the social-movement tactics of trespass and blockade to the Internet,” Wray told The New York Times after the attack, in a front page story.
They employed and popularized the term electronic civil disobedience to describe their actions.
But the definition and its uses would raise important questions for a new cyber frontier. Some called the hacks nothing more than nuisances or “electronic graffiti,” while others demanded virtual sit-ins be prosecuted as serious crimes. And if the military or Pentagon was the target, the matter became immensely more complicated.
What EDT didn’t anticipate was that the Pentagon would launch its own defense: another Java applet. Whenever Pentagon servers received a FloodNet request, the applet loaded multiple blank browser windows on the attacking user’s display. He or she would have to reboot to get back online.
But the Pentagon shouldn’t have retaliated at all, argued Joseph Broghamer, information assurance lead for the U.S. Navy’s Office of the Chief Information Officer. “Offensive information warfare is not a good thing…period. You want to block, not punish,” he says. “There is no technical reason to react offensively to a hacker attack.”
That wasn’t good enough, countered major corporations, which were experiencing more cyberattacks every day. Facing legal grey areas and a colossal lack of law enforcement resources, these targets prepared to defend their networks against cyberattack like the Pentagon had. It was corporate vigilantism.
“It’s up to us to protect ourselves,” said Lou Cipher (a pseudonym of his choice), a senior security manager at one of the country’s largest financial institutions, in 1999. “We are drawing a line in the sand, and if any of these dweebs cross it, we are going to protect ourselves.” Cipher claimed when his company learned the physical location of the attackers, they broke in, stole computers, and left a note saying, “See how it feels?” Another time they “resorted to baseball bats.”
By that year, 32% of surveyed Fortune 500 companies had installed counteroffensive software.
The Electronic Disturbance Theater’s attack was ultimately peaceful and comparatively transparent (the founders used their real names). But it contributed to growing anxiety around the ease of implementing cyber threats, many of which had more criminal goals.
“If you have 10 people at a protest, they don’t do much of anything,’’ a Toronto-based hacktivist called Oxblood Ruffian told The New York Times. “If you have 10 people online, they could cripple a network.’’
In response, then-Attorney General Janet Reno created a new federal agency called the National Information Protection Center. In the following years the government established the U.S. Cyber Command under the NSA to combat cyber warfare as well as cybercrime division in the FBI. The departments of Defense and Homeland Security also have strategies in place.
But at the time, the EDT’s denial-of-service attack on the Pentagon marked a shift in the use of the World Wide Web from passive documentation network to active tool of resistance. Roughly 10,000 people participated in the demonstration, and the conversation reached mainstream media.
With that goal, it was more like traditional grassroots protest than the group ever intended.
