Michael Hopkins still vividly remembers the call he received in November of 2012 from his longtime friend and business partner Cate Costa. Neither of them knew it at the time, but the call marked the beginning of the end for their startup company.
On the other end of line, a panicked Costa told Hopkins that something was wrong with their website. She had tried to visit OnlyHonest.com – which allowed users to debate political issues by uploading cellphone or webcam videos – but the site had clearly been hacked.
“I tried myself,” Hopkins said. “Sure enough, I was redirected to a landing page with a dark screen overlaid with green coding, similar to the screens from The Matrix. In the middle of the page was the Anonymous mask, and an audio message was playing in the background.”
In the digitally synthesized voice made popular by the hacktivist group, the audio message responded to recent videos posted by users about violent protests that had broken out on the border between Syria and Israel – which had become a matter of public and political interest in the United States. The hackers accused Only Honest and its users of backing Israel in the face of Palestinian upheaval, and they accused the website’s owners of being part of the corrupt “mainstream media” that was misleading public opinion on the matter.
“It was ironic to us, because we were trying to be the anti-mainstream media,” said Hopkins (pictured left), who was in his final year of law school when he and Costa launched Only Honest in August of 2012. Their goal was to give citizens a video platform where they could discuss important political issues, share their ideas and engage in constructive debates.
Having cobbled together about $15,000 from their savings and from family and friends (including what Hopkins described as his family’s “emergency rainy day fund”), Hopkins and Costa spent six months working with developers to build the site before revealing it ahead of the 2012 Republican and Democratic conventions (Hopkins is pictured left at the DNC in Charlotte, NC). Using the conventions as a springboard, Only Honest quickly built a strong following, with about 20,000 visitors a day at its peak.
Overnight, everything Hopkins and Costa had built was under siege.
“We worked with our developers to redirect visitors back to our site, but about 30 minutes later, they had rerouted it back again,” Hopkins said. “We went back and forth like that for a couple weeks. It started to get expensive very quickly, because we would have to have our developers redirecting and re-redirecting the site in the middle of the night.”
Related: Don't believe these five cybersecurity information-sharing myths
Hopkins later learned from developers that the attack was coming from outside the United States, though it was impossible to pinpoint the exact country of origin. He also learned that the Anonymous group’s signature didn’t necessarily mean that the well-known hacktivist group was behind the attack; in some cases, individuals have conducted attacks using the group’s calling card in hopes of garnering its attention and an invite into the organization.
Hopkins and Costa eventually took down the site, but they weren’t done fighting. Media attention started swirling around their story, and several outside developers swooped to help free of charge. By the end of the year, Only Honest was back up and running, and Hopkins and Costa had launched a mobile app. Their traffic continued to climb and revenue was coming in, to the point where they started to solicit outside investors who could help the firm grow.
Those plans were short-lived.
I think that’s the most frustrating part – feeling like nobody learned anything from what we went through.
Michael Hopkins, Only Honest co-founder
“Not long after we launched the app, we were hacked again,” Hopkins said, anguish still present in his voice nearly three years later. “At that point, we were low on cash, and frankly, I started to feel uncomfortable asking anyone to invest more money into us.”
Hopkins, Costa and a small team of interns managed to keep Only Honest running through social media for several more months, but without the website, the venture eventually fizzled out. Hopkins and Costa finally threw in the towel for good in late 2013. By that point, they had invested about $35,000 of their money and their families’ money into the business.
Only Honest has plenty of company in our country’s cyberattack cemetery. One in five small businesses falls victim to hackers every year, and of those, about 60 percent go out of business within six months of the attack, according to a study by the National Cyber Security Alliance.
Small businesses are particularly prone to attacks, experts say, because they’re considered more vulnerable by hackers (and accurately so). In other words, they’re seen as considerably less lucrative but far easier targets for cyber criminals looking to make a quick buck.
And yet, as cybercrime becomes increasingly common – presenting an ever more serious threat to small businesses, large corporations and government organizations alike – our country lacks policies to adequately defend America’s cyber networks (and by extension, its companies) from attacks.
One of the first steps our country’s leaders should take to strengthen our defenses, experts say, is to pass federal cybersecurity information sharing legislation, which would protect firms that share information about data breaches and other cybersecurity-related experiences with public officials and other companies. Without it, business leaders will remain understandably hesitant to share information about attacks for fear of litigation or other consequences.
“Businesses need legal certainty that they have safe harbor against frivolous lawsuits and regulatory, public disclosure, and antitrust matters when voluntarily sharing and receiving threat indicators and defensive measures in real time,” Matt Eggers, the senior director of national security and emergency preparedness at the U.S. Chamber of Commerce, wrote recently. “Congressional action cannot come soon enough.”
Congress has already made some headway on bills that would give businesses those protections, but lawmakers now must close the deal. The House passed cyber information sharing legislation earlier this year, and the Senate plans to resume debate on its own bill – the Cybersecurity Information Sharing Act (CISA) – when lawmakers return to D.C. next month.
Without protections like those outlined under CISA, Eggers explained, the public and private sector can’t investigate or learn from previous cyberattacks. As a result, American businesses are left increasingly vulnerable to the type of attack that drove Only Honest into the ground.
Looking back, that’s what still bothers Hopkins.
“One of the most frustrating things was that there was no good way to work with the government, or to let them know what was happening to us,” Hopkins said. “There really should be a way to at least let them know what’s going on, so even if they couldn’t help us, they could look at what happened and figure out how to respond to the next business it happens to. There was just no sense that anyone was learning from this, that anyone was looking for patterns or trying to stop it from happening again.”
While Costa and Hopkins lost thousands of dollars and countless hours of hard work, they managed to land on their feet after their company’s downfall. Costa now runs a consultancy in Chicago that supports first-time entrepreneurs, while Hopkins has since passed the bar and is preparing to move to Orlando, Florida, where he plans to become a public defender.
Still, Hopkins says he worries about the next cyberattack victim - in all likelihood, a startup founder or small business owner who may not have another career to fall back on.
“It’s think that’s the most frustrating part – feeling like nobody learned anything from what we went through,” Hopkins said. “It could easily happen to someone else.”
Tell Congress to Protect America's Cyber Networks