“I can get that from Google!” – is a common phrase that has been directed at me during my time as an open source intelligence professional. Clearly the intimation behind this phrase is that mainstream media coverage of cyber incidents is of the same quality as the product of an open source intelligence organization. I would disagree with this stance. I deliberately picked hacktivism as the focus for this piece as it’s the most public form of cyber threat activity and the threat sphere most commonly reported on by the mainstream media.

One way of interpreting hacktivism is through the lens of viewing the practices, actors and events involved in hacking campaigns as components within a public performance. It is a performance in which the actors (hacktivists) attempt to engage and provoke a target audience through their actions. If one accepts this as a valid way to view hacktivism, one must also accept that there are different ways a performance can be interpreted.

For example, to some, the children’s cartoon “Thomas the Tank Engine” is little more than harmless fun, while to others it represents the inequalities of a society deeply segregated along class lines. Irrespective of core semantic differences within the interpretation of a performance different memes, themes and aspects stand out to different members of the audience. Clearly this creates ambiguity in interpreting the execution and objective of the performance, leading to the need for a critic to analyse and provide direction on the content of the events that the audience has perceived.

If one accepts the notion of hacktivism as public performance, then the role of the critic would appear to fall to the mainstream media, whose role it is to interpret and make sense of the drama that is modern hacktivism.

At times this interpretation can be a bit shaky. Witness the 2011 example of a the rather bizarre spectacle of Sky News journalists discussing the motivations and goals of Louise Boat, a humorous misinterpretation of the Lulzsec Twitter handle: Lulz Boat.

Granted, events like the Louise Boat/ Lulz Boat incident are rare, probably due to the increasing headlines that hacktivists are now getting within mainstream media coverage. However, many well-researched media pieces dealing with hacktivism still show huge variations in their interpretation of the meaning of the core events.

As an example of this, witness the media coverage around the Syrian Electronic Army’s (SEA) campaign from 2011 to 2016. During this period, some media reporters suggested that the group presented an existential threat, while others suggested it was a mere sideshow.

A possible explanation for the media’s ambiguity in the interpretation of the meaning of groups like the SEA could stem from the difficulty in getting a solid factual base of the activities of hacktivist groups. Take for example the timeline of SEA attacks presented by the Guardian, with its almost exclusive focus the Western targets that the SEA attacked. Now compare that with the attack timeline presented by the OpenNet Initiative. While neither article claims to give a complete representation of the SEA’s activities, if either article is viewed in isolation then a very different picture of the SEA “performance” is created within the mind of the audience.

Given fragmented nature of hacktivist activity, factors such as confirmation bias and the temptation to sensationalize stories would appear to run riot with much of the media reporting related to this subject. Within this context, the importance of the role of an open source intelligence organization as a purveyor of qualified and unbiased intelligence on hacker activities becomes apparent. It is this rigorous application by career security professional of techniques that reduce the risk of succumbing to cognitive biases by employing structured analytical techniques.