Avaaz President Answers Cyber Attack Doubters

Avaaz president Ricken Patel tells TechWeekEurope why his organisation is asking its members for security sponsorship, despite its $1m tech budget

When protest body Avaaz claimed to have been hit by a “massive” cyber attack last week and asked for money to help it increase its security, it struck TechWeekEurope, its readers and others that this was a somewhat inventive method of getting money for IT.

Some wondered whether Avaaz was being honest about the hit, which the group claimed was most likely initiated by a government or private organisation. What kind of cyber attack was this? Why should people donate when there was so little public information about the attack? Where would the money even go? There were other tough questions aimed at the human rights campaigner.

Stephen Fry backs Avaaz

Only one more update has been made public since the initial plea, revealing that a 44-hour distributed denial of service (DDoS) strike hit the organisation’s IT infrastructure. That update also revealed the scale of the hit was equivalent to 20 times Avaaz’s highest traffic in its history, taking the site down but only for 14 minutes. The FBI has also been informed about the attack.

Avaaz’s site shows that almost 42,000 people have donated to this campaign, which has also had supporting tweets from Stephen Fry and author Margaret Atwood. Clearly many Avaaz supporters are backing the request.

Others evidently have doubts over the organisation’s methods, however. That’s why TechWeekEurope got hold of Avaaz’s president, Ricken Patel, to see if he could answer some tricky lingering questions.

If your website was only down for a total of 14 minutes, and you already have quality infrastructure like you say in your post, why do you need more funding for security?
The current protection is expensive and we want to keep funding it. But that protection was just barely enough this time, and the experts we talked to told us that larger attacks are possible and getting larger all the time, so the fundraiser is planning for the future. It’s also looking at far more than just DDoS – in the email we asked for support to protect against hackers of all types, and even to help with physical security of our staff in some of the more dangerous places we work.

If you paid your IT consultants (one of whom is a former CTO and another the current CTO, who appear to be related) almost $300,000 in 2010 – and I’m guessing a similar amount in 2011 given the rise from 2009 and the fact that the CTO is the same – how can you justify asking for more money for IT?
Our tech budget is actually much larger than that! The 300k to our CTO included support to a team of developers that work for Paul and Milena Berry [the former and current CTO respectively]. But we also have a range of other costs that aren’t covered by that contract like security audits, firewalls, many more developers, hosting etc. And like everything else at Avaaz, the tech team and needs are growing exponentially every year – we now have 15 staff on the tech team, and with our membership having doubled to 14 million in the last year, the size, complexity and risk of the infrastructure is growing.

So our tech budget is well over $1 million, and growing fast, and we didn’t have enough money budgeted for security to take a big leap up in that department. That’s why we needed to run the fundraiser.

Why are your CTO and former CTO listed as independent contractors providing IT consultancy? Are they not normal members of staff? What work did they do for almost $300,000 in 2010 and $245,000 in 2009?
As mentioned already, that’s not their salaries. They have a company called Talacon that employs a portion of our tech team. It’s an increasingly common model in our field of the CTO actually being a ‘captured company’ that works for one client. Moveon.org has the same thing.

Where is the money going?

What exactly are the funds you get from this cyber attack fund going to go on? How long will it take to implement changes and how much money are you going to spend on additional infrastructure?
We’re working on exactly what the next phase of investments will entail but the fundraiser had a list of things, and options include a full-time or part-time security officer, an upgrade to the service level for defensive tools, traffic analysers to more effectively track the source of attacks and upgrading the capacity of our firewalls. As mentioned, the fundraiser also has a wider range of objectives, such as helping to ensure the physical security of our staff.

Also, this is the first fundraiser like this that we’ve done in 5 years, and I doubt we’ll do another one for a long while, so the funds should support this priority for us for a while. That’s part of how online fundraising and campaigning works – you leverage bursts of engagement from our membership with particular priorities and campaigns to generate longer term sustainable impacts.

I see your account reports are already hosted on Amazon. Is the website hosted on Amazon? If so, should that not help with a DDoS attack? If not, are you planning to move the website to the public cloud?
Here’s the answer I got from our online director Matt Holland – the website is not hosted on Amazon. Like other high-capacity web services, the hosting platform is complex and includes a physical server farm, a content distribution network, and some resources served through Amazon’s cloud services.

Who are the experts that have been advising you? Do you have an external company or individuals helping you with this?
Datagram is our hosting company and was our first and key ally and advisor on this. Also Croscon, which performs ongoing security audits of our servers, and Arbor Networks, which provides the defensive hardware which helped in this attack.

Why did you choose to ask people to donate via the website when it was under attack? Seems a little backwards… why not wait until afterwards?
We waited until we were sure the site was secure before we launched the fundraiser. If the site was secure, why wait? Also, online campaigning is a bit like the media in that our campaigning functions on 24-48 hour timelines and so it’s not good to put nothing out for a week. We had urgent campaigns we needed to run on other issues, but a donation campaign generates much lower traffic and so we judged it was safer to run the donation appeal while the attack was ongoing, and then run the high-participation campaigns once the attack was over.

Are you a security lover? Test yourself with our quiz!