Amrit Williams dropped a post on some of the new cases, and new penalties, for certain kinds of cybercrime. In it he states:
The risk/reward for committing cybercrime is shifting, which will not result in less cybercrime only more sophisticated criminal activity. So more evidence that hostile actors will become more organized, more sophisticated, and much harder to detect with traditional security measures.
I tend to agree slightly- as you raise the stakes the potential reward needs to increase at least proportionally to the risk, but Amrit’s missing the main point. Mike Rothman gets us closer:
… but I’m not sure they are going to behave differently whether they are subject to 10 years or 3 years in the pokey. Whether the fine is $250,000 or $10 million. I don’t know much, but I suspect that most bad guys don’t want to get caught. … The folks know what’s at stake, but they don’t think they’ll be caught.
And there’s the rub. The biggest penalties in the world are totally ineffective as a deterrent if they aren’t enforced. From compliance, like PCI, HIPAA, and SOX, to cybercrime, a law isn’t a law until someone goes to jail for it.
Rothman nails it- right now the bad guys act with near impunity because they know the odds of getting caught are low. If all we do is improve enforcement of existing laws, and learn how to better enforce cybercrime laws across international boundaries (that’s a biggie) we’ll do FAR more to reduce cybercrime than increasing the penalties.
Reader interactions
4 Replies to “It’s The Enforcement, Not The Penalties”
[…] It’s the Enforcement, not the penalties […]
[…] It’s the Enforcement, not the penalties […]
Hmm.. seems to me that both are touching upon the same fundamental point, but from different angles. “I shall be more careful and more sophisticated (Amrit’s point) and (thus?) don’‘t think I will be caught (Mike’s view)”
And it is not just that risk/reward is shifting – security technology is chipping away the lead as well. They have to be better in order to get away – it seems oddly Darwinian. The lesser hackers will be extinct and stronger ones will evolve. As long as there is money to be made, we will see evolution.
My post wasn’‘t focused on new penalties that need enforcement, no one would argue that laws or regulations without enforcement lack credibility. My post also had nothing to do with SOX, HIPAA, or other regulatory compliance initiatives. I was calling out the justice departments creative use of existing laws to indict and eventually convict cyber criminals. This is similar to how the ATF worked with the treasury department to indict and convict Al Capone on tax evasion or the creation and use of the RICO laws to go after the mafia and essentially destroy a once thriving criminal organization.
If kids are hacking for fame and fun and the penalties are light or the equivalent of a slap on the wrist it is not much of a deterrent, if Schneir is convicted and receives a 60 year sentence (which will inevitably be plead down) with $1.75 million fine, which the US Justice department can impose on a minors legal guardians and garnish wages for years to come it will limit the zeal of kids hacking – probably the reason shoplifting is so low in Saudi Arabia – who wants to lose their hands over a candy bar. So I think it is valid that the risks of cyber crime is increasing and the need to hide ones actions and bypass detective controls will be much higher and becasue of this we will see much less moisy worms/viruses and more targeted and stealthy attacks. Yes more can be done, and yes we need international cooperation but it is moving in the right direction.