ICIT CERTIFIED: In this essay, ICIT Contributor Luther Martin from Micro Focus Government Solutions (an ICIT Fellow Program Member) discusses how governments that do not enforce cybercrime laws may in effect be decriminalizing cybercrime; and offers a possible solution to incentivize governments to enforce cybercrime laws. It has been reviewed by ICIT researchers and is certified as an educational document. ICIT encourages stakeholders to read this paper and distribute it widely to share its contents.
The Active Cyber Defense Certainty Act (ACDC Act), was introduced by US Representative Tom Graves in 2017. This Act proposed to “provide a defense to prosecution for fraud and related activity in connection with computers for persons defending against unauthorized intrusions into their computers, and for other purposes.” In other words, it would legalize retaliatory hacking by businesses that were the targets of cyber criminals. This bill was widely derided as being a very bad idea. But is there a reasonable alternative to it?
Global spending on information security technologies is approaching $200 billion. That’s a lot of money that could be better spent on more productive things. It could be invested in hiring more workers, building more factories, etc. Or it could be spent on addressing some of the big problems facing the world today.
The Copenhagen Consensus Center tries to use a careful cost-benefit analysis to prioritize projects that would do the most good for the world. Their analysis covers issues like air pollution, armed conflict, climate change, education, and more, and it consistently shows that the damage caused by many of the world’s problems could be greatly reduced by relatively modest investments: perhaps $1 billion or less. Spending even 10 percent of the world’s information security budget on projects like these could dramatically improve the lives of millions of people, so there are very real costs from spending so much on information security instead of on more useful
Fundamentally, the reason that we need to spend so much on information security is because governments do not enforce existing laws. In many countries, cybercrime may be illegal, but is often effectively decriminalized as long as the targets of the cybercrime are in countries that are not friendly to the host nation of the cyber criminals. This makes information security a law enforcement problem, not a technology problem…
(This essay was originally published in ISSA)