"Cyber attacks", advocacy groups, and legitimacy

Yesterday, Avaaz posted a newsletter release stating that they were experiencing a “massive” cyber attack, sophisticated to the point that

"likely only a government or major corporation could launch an attack this large, with massive, simultaneous and sophisticated assaults from across the world to take down our site."


Their immediate followup, in the same newsletter, is to ask for donations on their website, to contribute to a “defence fund” to protect against future attacks.

This raises all kinds of alarm bells - not of the kind it is in Avaaz’s interest to raise.

  • if their website is currently under attack, should supporters feel comfortable donating via their website? Wouldn’t that actually put the supporters’ personal information or credit card details at risk?
  • how does “donating now” mitigate an ongoing attack?  Security investments that could come as a result would be implemented months down the road. If the website continued to function normally throughout that time, then the urgency or necessity of the “security” donations is strongly put into question.
  • what is the severity of the attack, and who is the expert who can corroborate that it is happening? Is there any third-party assessment, beyond Avaaz’s own internal claims?

The overall situation raises an important point - that, in the future, as online campaigns or online activities of advocacy groups play a more influential role, they will somehow be targeted by other actors (indeed, corporations, governments or organizations with a different political view) who are challenged by their activities. Without a doubt, at some point in the future this may become a very real concern for advocacy groups.

What isn’t clear, in Avaaz’s messaging, is if that is legitimately the case here. To - all at once - state that you are “under attack”, that you need urgent security investments, and to ask for donations, is a combination of messages that seems ill-advised (if not extremely questionable), especially without any sort of third-party confirmation. If you were pretending to be under “cyber attack” and were hoping to solicit donations under those grounds, your message would look exactly the same.

What makes things much more blurry is that “cyber attack” is a term that is almost impossible to define. Are they being spammed by some malicious server filling their petition forms with links to (of course) questionable pharmaceutical sites? If so, that’s less a cyber attack, and more a regular fact of running a website on the internet, something dealt with (not always easily) with careful (but not expensive) network security setups. Perhaps the case here was spawned from a simple miscommunication between some computer consultant and Avaaz’s campaign team: small-scale “cyber attacks” are entirely normal, for any website online. In most cases, finding out that they are occurring does not lead to a donation campaign reaching millions.

If Avaaz was the target of a carefully-designed, globe-spanning computer virus aimed exclusively at their systems (as was the case in the recent Iran incidents that Avaaz’s situation is compared to here), then that would be a very different story - and a few thousand dollars in donations would not have any impact in preventing it.

This sets an extremely uncomfortable precedent for other non-profit organizations. To pay for website upgrades or network security, should they also claim to be “under attack” by mysterious corporate cyber attackers? If they actually are “under attack”, should soliciting donations via their (still-under-attack) website really be the first action they take?

And finally: are the groups that are targeted most, really the most deserving recipients of your donation money? Should that be your criteria for donating to an organization?

Donate to organizations that do good work. Full stop.

And to organizations like Avaaz: if your online sites are under attack, enlist some computer security firms perhaps on a pro bono basis to improve your network security. If those investments cost money, ask for it, months later, as part of your regular administrative costs - not as an urgent, “only your donation can keep us online” appeal that can only smell contrived (at best) or put donors at risk (at worst).