By George Friedman

In early December I received a call from Fred Burton, Stratfor’s vice  president of intelligence. He told me he had received information indicating our  website had been hacked and our customer credit card and other information had  been stolen. The following morning I met with an FBI special agent, who made  clear that there was an ongoing investigation and asked for our cooperation. We,  of course, agreed to cooperate. The matter remains under active  investigation.

From the beginning I faced a dilemma. I felt bound to protect our customers,  who quickly had to be informed about the compromise of their privacy. I also  felt bound to protect the investigation. That immediate problem was solved when  the FBI told us it had informed the various credit card companies and had  provided those companies with a list of compromised cards while omitting that it  had come from us. Our customers were therefore protected, as the credit card  companies knew the credit cards and other information had been stolen and could  act to protect the customers. We were not compelled to undermine the  investigation.

The FBI made it clear that it expected the theft to be exposed by the  hackers. We were under no illusion that this was going to be kept secret. We  knew our reputation would be damaged by the revelation, all the more so because  we had not encrypted the credit card files. This was a failure on our part. As  the founder and CEO of Stratfor, I take responsibility for this failure, which  has created hardship for customers and friends, and I deeply regret that it took  place. The failure originated in the rapid growth of the company. As it grew,  the management team and administrative processes didn’t grow with it. Again, I  regret that this occurred and want to assure everyone that Stratfor is taking  aggressive steps to deal with the problem and ensure that it doesn’t happen  again.

From the beginning, it was not clear who the attackers were. The term  “Anonymous” is the same as the term “unknown.” The popular vision of Anonymous  is that its members are young and committed to an ideology. I have no idea if  this is true. As in most affairs like this, those who know don’t talk; those who  talk don’t know. I have my theories, which are just that and aren’t worth  sharing.

I was prepared for the revelation of the theft and the inevitable criticism  and negative publicity. We worked to improve our security infrastructure within  the confines of time and the desire to protect the investigation by not letting  the attackers know that we knew of their intrusion. With the credit card  information stolen, I assumed that the worst was done. I was wrong.

Early in the afternoon of Dec. 24, I was informed that our website had been  hacked again. The hackers published a triumphant note on our homepage saying  that credit card information had been stolen, that a large amount of email had  been taken, and that four of our servers had been effectively destroyed along  with data and backups. We had expected they would announce the credit card  theft. We were dismayed that emails had been taken. But our shock was at the  destruction of our servers. This attack was clearly designed to silence us by  destroying our records and the website, unlike most attacks by such groups.

Attacks against credit cards are common, our own failures notwithstanding. So  are the thefts of emails. But the deliberate attack on our digital existence was  a different order of magnitude. As the global media marveled at our failure to  encrypt credit card information, my attention was focused on trying to  understand why anyone would want to try to silence us.

In the days that followed, a narrative evolved among people claiming to speak  for Anonymous and related groups. It started with looking at our subscriber list  and extracting corporate subscribers who were now designated as clients. The  difference between clients and subscribers is important here. A client is  someone you do customized work for. A subscriber is simply someone who purchases  a publication, unchanged from what others read. A subscriber of The New York  Times is not its client. Nevertheless, some of the media started referring to  these subscribers as clients, reflecting the narrative of those claiming to  speak with knowledge of our business.

From there, the storyline grew to argue that these “clients,” corporate and  government, provided Stratfor with classified intelligence that we reviewed. We  were no longer an organization that analyzed the world for the interested  public, but rather a group of incompetents and, conversely, the hub of a global  conspiracy. The media focused on the first while the hacking community focused  on the second.

This was why they stole our email, according to some of them. As one person  said, the credit cards were extra, something they took when they realized they  could. It was our email they were after. Obviously, we were not happy to see our  emails taken. God knows what a hundred employees writing endless emails might  say that is embarrassing, stupid or subject to misinterpretation. What will not  appear is classified intelligence from corporations or governments. They may  find, depending on what they took, that we have sources around the world, as you  might expect. It is interesting that the hacker community is split, with someone  claiming to speak for the official Anonymous condemning the hack as an attack on  the media, which they don’t sanction, and another faction defending it as an  attack on the rich and powerful.

The interpretation of the hackers as to who we are — if indeed that was  their interpretation — was so wildly off base as to stretch credulity. Of  course, we know who we are. As they search our emails for signs of a vast  conspiracy, they will be disappointed. Of course we have relationships with  people in the U.S. and other governments and obviously we know people in  corporations, and that will be discovered in the emails. But that’s our job. We  are what we said we were: an organization that generates its revenues through  geopolitical analysis. At the core of our business, we objectively acquire,  organize, analyze and distribute information.

I don’t know if the hackers who did this feel remorse as they discover that  we aren’t who they said we were. First, I don’t know who they actually are, and  second, I don’t know what their motives were. I know only what people claiming  to be them say. So I don’t know if there is remorse or if their real purpose was  to humiliate and silence us, in which case I don’t know why they wanted  that.

And this points to the real problem, the one that goes beyond Stratfor’s own  problem. The Internet has become an indispensible part of our lives. We shop,  communicate, publish and read on it. It has become the village commons of the  planet. But in the village commons of old, neighbors who knew and recognized  each other met and lived together. Others knew what they did in the commons, and  they were accountable.

In the global commons, anonymity is an option. This is one of the great  virtues of the Internet. It is also a terrible weakness. It is possible to  commit crimes on the Internet anonymously. The technology that enables the  Internet also undermines accountability. Given the profusion of technical  knowledge, the integrity of the commons is in the hands of people whose  identities we don’t know, whose motives we don’t understand, and whose ability  to cause harm is substantial. The consequence of this will not be a glorious  anarchy in the spirit of Guy Fawkes, but rather a massive repression. I think  this is a pity. That’s why I wonder who the hackers actually are and what cause  they serve. I am curious as to whether they realize the whirlwind they are  sowing, and whether they, in fact, are trying to generate the repression they  say they oppose.

The attempt to silence us failed. Our website is back, though we are waiting  for all archives to be restored, and our email is working again. Our failures  have been reviewed and are being rectified. We deliberately shut down while we  brought in outside consultants to rebuild our system from the ground up. The  work isn’t finished yet, but we can start delivering our analyses. The handling  of credit cards is being handed off to a third party with appropriate capability  to protect privacy. We have acted to help our customers by providing an identity  theft prevention service. As always, we welcome feedback from our supporters as  well as our critics.

We are fortunate that we have the financial resources and staff commitment to  survive the attack. Others might not. We are now in a world in which anonymous  judges, jurors and executioners can silence whom they want. Take a look at the  list of organizations attacked. If the crushing attack on Stratfor is the new  model, we will not be the last. No security system is without flaws even if it  is much better than Stratfor’s was.

We certainly expect to be attacked again, as we were last week when emails  were sent out to members from a fake Stratfor address including absurd messages  and videos. Our attackers seem peculiarly intent on doing us harm beyond what  they have already done. This is a new censorship that doesn’t come openly from  governments but from people hiding behind masks. Do not think we will be the  last or that we have been the first.

We will continue to publish analysis and sell it to those who believe it has  value. To our subscribers who have expressed such strong support, we express our  deepest gratitude. To our critics, we assure you that nothing you have said  about us represents a fraction of what we have said about ourselves. While there  is much not to be proud of in this affair, I am proud beyond words of all my  dedicated colleagues at Stratfor and am delighted to return our focus to  analyzing critical international affairs.

To all, I dedicate myself to denying our attackers the prize they wanted. We  are returning to the work we love, dedicated to correcting our mistakes and  becoming better than ever in analyzing and forecasting how the world works.

We have acted to help our customers by providing an identity theft prevention  service.