How to hack a government
A security researcher lays out a step-by-step plan to overthrow a government.
Last month members of the Turkish military experienced an attempted coup to oust president Recep Tayyip Erdoğan. The overthrow attempt was quickly thwarted, but it might have succeeded if Chris Rock (the security researcher, not the comedian) had had a hand in it.
Rock's "How to Overthrow a Government" presentation at Def Con last week took attendees through the step-by-step process of taking over a country. At a security conference where talks are usually limited to exposing the vulnerabilities of things like cars, operating systems and gadgets, the subject was a bit more far-reaching. And while hilarious at times, it was a surprising eye-opener about how common hacking techniques combined with military know-how could help topple a regime.
But Rock noted that it takes more than just sitting behind a keyboard to be a kingmaker. To fill in the knowledge gaps he had, he enlisted the help of Simon Mann, a mercenary and former British army officer who was jailed (and eventually pardoned) for a failed coup of Equatorial Guinea in 2004.
With Mann's help, Rock created a thorough plan that demonstrated how to overthrow the nation of Kuwait. He presented three methods for regime change: elections, coups and revolution. For Kuwait, he decided a coup was too messy, as it would require taking on a huge military force. Because the prime ministers and crown prince are appointed, the notion of a rigged election is moot. So Rock decided to go with a revolution.
Rock laid out what could be accomplished with a few years' planning and a relatively small team. His presentation was a mixture of spycraft and hacking, with surprisingly few resources. First you need to collect intelligence. You can hire a firm for that. But Rock notes that the best information is what you collect on your own.
Something like this also requires resources, which is another word for cash. And you're going to need a lot of it. The talk covered the possibility of hacking into government banks not only to help fund the operation (by siphoning money from people who fund terrorist organizations lulz), but to move money around to create a paper trail of corruption implicating the nation's leaders. Rock told attendees to keep it simple: Instead of using fancy zero-day attacks on the bank, he suggested paying a janitor a few thousand dollars to plug in a USB stick.
As for how to use that money you've pilfered, Rock says you should hire protesters to highlight any corruption you find during your intelligence-gathering. He also suggests hiring people to dress up as policemen to attack the people calling for change. Nothing gets the masses on your side like a video of citizens being attacked by the police.
It's also important to control the flow of information, which means hacking ISPs, government sites and the media. By controlling when a nation has internet access, you can manipulate not only its citizens, but also the world. No one's happy when they hear that a country is keeping its residents from expressing themselves.
Those online publishers and government sites can be used to plant stories about top-level corruption. If those articles are pulled down, to the average citizen it's further proof that the people in charge are trying to hide something. He also suggests planting articles in major outlets outside the country. Just be sure you have two sources for the publication. He liked to call them "unnamed government officials."
Then it's time to take down the power grid. After finding out where the most important power grids are located, he realized that he couldn't hack into them. So he built a device with two saw blades and cordless drill that could be flown into a power station on a drone to cut the lines.
With the infrastructure, media, internet access and banks under his team's control, riling up a country's citizens is really just a matter of timing. While this seems like a fun (but disturbing) proof of concept, the reality is that Rock's team of three was able to get full access to five of the Kuwait banks, its media and ISPs five years ago. It took them two years to accomplish their goal. The nation had hired him to test its security and his since patched up the vulnerabilities.
Yet this same methodology could be used to initiate a coup, revolution or even steer the course of an election in nearly any country. He noted that Wikileaks' disclosure of the Democratic National Committee's emails could be part of a scheme to influence the upcoming US election. He wasn't too impressed by the timing, though. "It's just leaking out slowly," he said. "There's no methodology. It's sloppy."
Surprisingly, Rock's talk was added to Def Con's lineup months ago. Since then, zero government officials or revolutionaries have reached out to him about his techniques. At least not yet.
As for concerns that his methods would be used against a nation, he told Engadget that it takes a long time to do. "I spent 11 years of research and maybe two years with this small group," he said. "It's a lot of work for a small group." He notes that it involves having people on the ground getting a read on the people. But it's not outside the realm of possibility that a small group could pull it off. Indeed, he expects it'll probably happen, he said in an interview.
So if you're thinking of taking down a country, you're going to need to do more than just throw a few denial-of-service attacks or leak some embarrassing emails. And if you're a nation with a slightly irritated populace, you might want to shore up your security and treat your citizens better.
