Is Hacktivism Legal? When Activism Becomes a Security Concern

People have taken to the streets for centuries to speak up for what they believe in. Whether that’s a boycott, picket line or vote, activism comes in many shapes and sizes. However, it looks a little different now in the digital age where people have access to more resources and knowledge than ever before. Welcome to the age of hacktivism, where the lines between justice and ethical action are quite blurry.

What Is Hacktivism?

Everyone knows what a hacker and activism are — hacktivism is a combination of these concepts. It is when a hacker, instead of a publicly known individual, attempts to promote social or political ideals by using their hacking skills in digital landscapes. Much like real-world activism, this can take peaceful and hostile forms, despite any stereotypes associated with hacking as a whole.

For example, someone could deface a company’s social media accounts or website to spread a political message that could be harmful or jeopardize a brand’s image by spreading misinformation. This could be motivated from revenge or moral outrage. Consider this type of attack being employed during election season and how it could blackmail or smear a candidate.

Alternatively, an environmental hacktivist may shut down an oil company’s website for a day, replacing their landing page with a call-to-action to get people to vote for anti-oil policy. Though this could damage the oil business and their sales from website leads, it has fewer ramifications than more severe forms of hacktivism. This would be more akin to having a line of protesters with signs outside of a company’s office building. Though it is disruptive, it is more peaceful.

Though the implications of these examples are different, hacktivism does often require unauthorized access or questionable technologies to infiltrate online and digital spaces they would otherwise be prohibited from entering. 

Is There Such a Thing as an Ethical Hacker?

Ethical hackers, also known as white hat hackers, exist and are vital to expanding cybersecurity in all sectors. They are responsible for having the mindset and strategies of modern hackers and using them for good. 

For example, a car company may hire an ethical hacker to find vulnerabilities in their machinery by playing with tactics current threat actors use. Then, they provide advice on how to defend against them based on how successful they were in infiltrating the systems.

Does this mean hacktivists are white hat hackers because they are fighting for a good cause? Not necessarily. They could have immoral or unjust motivations. Additionally, there are massive legal gray areas to hacktivism. 

Is Hacktivism Legal?

Participating in a march while holding a sign is not illegal. Nobody is getting hurt and no destruction is happening. Does that mean hacktivism is legal?

Yes. The Computer Fraud and Misuse Act (CFAA) is the answer to all things related to hacking and legal repercussions. It labels most hacking as illegal, therefore, hacktivism would also be against the law. Here are a few of the important details to note.

The CFAA doesn’t put all hackers under the same designation, and each category is treated differently. Hackers fall under three types:

• Malicious
• Ethical
• Hacktivist

This implies hacktivists are somewhere in the middle of the hacker spectrum. Despite the hard “no” on most hacking, academics are still arguing the minutiae of this debate. The U.S. needs to mend some gaps in hacktivism definitions and understanding to make laws more comprehensive. It is impossible to designate them as all immoral or moral. 

However, to be on the safe side, most consider it an illegal practice because it is, at its root, a cybersecurity threat. Many of a hacktivist’s tactics rely on the same techniques as malicious hackers, but it’s the intent that changes things. 

What Are Ways People Have Used Hacktivism in Real Life?

Critical infrastructure is particularly vulnerable to hacktivism because of how much of an impact it can make to a vast quantity of people. You have likely seen hacktivism in the news but never knew the disruption was due to a hacker. 

One example was a recent attack by pro-Russia hacktivists against utilities and agriculture. The attempts spooked the CISA and FBI so much they quickly advised pertinent organizations to reset passwords and set up multifactor authentication.

In July 2024, hacktivists targeted the Heritage Foundation, a well-known conservative organization based out of Washington, D.C. The group wanted to punish Heritage for supporting what they believed were toxic ideologies by releasing two gigabytes worth of data in names, emails, usernames and passwords. You may not think two gigabytes is a lot, but when it is all text-based information, there is a lot that can fit in that space.

Another attack in London showed the power and diversity of hacktivist threats. A hacktivist named Anonymous Sudan attempted to attack the London Internet Exchange but failed. Britain has historically supported Israel amid the conflict, and the hacktivists targeted the Exchange to fight for their beliefs. 

Are Hacktivists a Security Threat?

The jury is still up for debate on how much an hacktivist should be allowed to gallivant the internet. Regardless, the blurry understanding should spark productive conversations with the industry’s experts to create more firm boundaries and punishments for specific hacktivist actions. Should all of them be judged equally? Should courts dig deeper into each specific case to find if the intent was peaceful or not? Would this be a reliable system?

These are all questions experts cannot uncover unless collaboration and discussion persist throughout all sectors. Despite it feeling like an exclusive issue to techies, hacktivism can touch everything from the public sector to food and beverage depending on the hacktivist’s motivation. As with all cybersecurity, everyone should anticipate they will be the next victim and prepare accordingly.