Every week seems to bring a new hacking story — the massive hacking attack on the U.S. government's databases and the attacks on the U.S. health care system are just two of the bigger stories — so it's perhaps no surprise that the knee-jerk reaction is to take the fight directly to the hackers. By making the penalties tougher, by expanding the scope of federal anti-hacking statutes and making it easier to prosecute wrongdoers, it'll convince hackers that it's just not worth the risk, right?
The problem is that simply toughening the laws on hackers by extending their scope and reach or extending the prison sentences of hackers is not going to help catch the real hackers — the criminalized, anonymous hackers who operate in places such as China. Instead, they're more likely to ensnare the likes of hacktivist heroes such as Aaron Swartz.
Getting tough on hackers by extending the definition of what a hacker is would theoretically mean that people who even so much as retweet or click on a link with unauthorized information could be committing a felony. Moreover, the white hat hackers (the "good guys") could be ensnared as well, since their work, at its core, is indistinguishable from that of the black hat hackers (the "bad guys").
And that could have a chilling effect on innovation.
Laws and regulations can't keep up with the pace of technological change, and end up either prosecuting the wrong people or prosecuting the right people, but on charges that far exceed the scope of the crime. Consider that the current anti-hacking federal statute, the Computer Fraud and Abuse Act (CFAA), was enacted back in 1986, well before most politicians had ever heard of the Internet.
If tough hacking laws had been around 20 years ago, it might have stopped Google from launching its method of indexing Web pages or Apple from launching many of its innovative consumer gadgets. As Rob Graham, chief executive of Errata Security, points out, "Had hacking laws been around in the 1980s, the founders of Apple might've still been in jail today, serving out long sentences for trafficking in illegal access devices."
And there's another reason why tougher laws on hacking would have a chilling effect on innovation — it would not require corporations to do more on their end to correct fatal security flaws before they are found by hackers. As we already know from experience, the last thing corporations want to do is to add an extra cost layer to their products by taking action to correct security flaws — even when they know the potential implications of a major security breach. If they know that the law will make it easier to recoup damages from hackers, they could have fewer incentives to find all possible security flaws.
In the case of Ashley Madison, the current hacking case du jour, the company didn't even bother to encrypt the underlying data, which means that once a hacker got into the company, it was a simple task of scooping up names, addresses and credit card information. You could argue that the hackers who broke into Ashley Madison are criminals, but you could just as easily argue that the company itself was criminally negligent.