Is punishing people for a lack of computer security useful? A professor from RIT wants to do this to reduce the amount of cybercrime.
In the link above she gives some reasons why she believes this is important. The more I think about this idea the more I don’t like it. Here is why.
Unsecured computer resources are a huge problem in cyber-crime. Yet the same problem happens in the real world. Criminals steal cars so that they can’t be tracked. Hackers steal computers and set up complicated networks so they can’t be tracked.
In the real world, trying to hold victims accountable doesn’t make sense. If we criminalize ignorance, then we all are guilty. Why not change those systems that allow this criminal behavior to happen.
For example, for years credit card companies said that magnetic strips were safe enough for credit card users. It turns out that billions of dollars was stolen and countless lives disrupted because of this. Now with chip technology this is much harder to steal money and cause problems. We didn’t hold those people accountable because the system gave them a card that was insecure. Why would we do it for a computer or technology?
If anyone is guilty here of helping criminals, it would be those companies that didn’t put security as a priority. We can’t punish Microsoft and Oracle can we? Why punish the person who has the least amount of power and knowledge about a situation?
Lets say that people want to be responsible and secure their computer. They would need to turn into an IT person to do that. The amount and types of security threats has never been greater. It isn’t enough anymore to just install some endpoint security, they would need to pay to have a very expensive firewall, layers of defense and a dedicated IT person to monitor and respond to any risk. While IT people like me would love this for job security, it is a hard sell for the average person or company.
It is really fascinating to be an IT person and see the huge amount of risk that companies and individuals take with their security. Even though the news almost weekly shows a huge break in and compromised system, companies are still shy to spend money on securing their infrastructure. The ones who do spend money like Chase, still get hacked, so at some point the average person might say “What is the point? It will get hacked anyway.” Understandable point of view but incomplete.
Even the smallest of companies are getting probed and attacked dozens or hundreds of times per day. Firewalls pay for themselves many times over protecting people from things they aren’t even aware of. Firewalls are the robot bouncer that silently does his job and no one is the wiser except IT people.
Asking everyone to bear the cost to support a secure technical structure would be ideal, but is impractical. What would be better would be to legislate that companies whose software is used in hacking to be financially responsible for restitution. That would clear up the problem really quick. Yet when software is secure, then the government will want access to it. So perhaps having insecure software that allows hacking, also allows surveillance. Hmm. Something to think about.