Cybersecurity: It's our problem

Two law professors want a paradigm shift in how we approach cybersecurity. Michael Kassner discusses this new theory and wants to know what you think about it.

Let's face it: we're not winning the battle against cybercrime. Why is that? Because not enough money is being spent or are the cybercriminals that much smarter?

I'm not sure. My only thought is that possibly we're going about it all wrong. Maybe cyberspace is too virtual or too nebulous for the "good guys" to triumph using normal crime-busting. That's all the further I took my sociology exercise until Rich (SanteeWelding) introduced me to an interesting alternative.

The experts

Before getting into the details, I'd like to introduce you to the people that came up with this rather unusual proposal. The article that Rich sent me, eventually lead me to a paper titled Distributed Security: A new model of law enforcement. It was co-authored by Susan Brenner of the University of Dayton School of Law and Leo L. Clarke formerly of the Thomas M. Cooley School of Law.

I'll warn you the paper is long. But don't let that scare you. Knowing that, I'd like to follow their format, yet compress it into a "you get the idea" article for those who don't have time for the full-length thesis.

The way it's done now

Brenner and Clarke first explain that our current criminal law has its roots in the Industrial Revolution and is based on punishing the person convicted of a crime with what is deemed an appropriate penalty by society:

"Currently, sanctions against criminals, such as prison sentences, fines, and the freezing of assets rely on a system that can entrap the criminals in order to bring them to justice."

As you can see our entire criminal justice system relies on the fact that the criminal is apprehended.

The problem

The current legal system fails miserably when it comes to cybercrime, simply because it's difficult to capture the criminal. Let's look at why:

  • Criminals operate through distributed networks or botnets, leaving little chance of tracing the activity back to them.
  • Criminals operate from locations where their activities aren't considered illegal or may even be state sponsored.
  • Criminals gravitate to countries that refuse to extradite.

From the above points it's easy to see where the current system falls apart when considering cybercrime, retribution is almost non-existent.

Enhance the existing system

Brenner and Clarke offer some insight on how changing the existing legal structure may be of some help. I'll let you decide if their assertions are plausible or not:

  • Provide an international forum where the involved countries will create laws and work together, in an attempt to put the fear of retribution back into the criminal's mind.
  • Allow sanctioned law-enforcement services to actively fight cybercrime by reverse hacking in the form of malware, DDoS attacks or any means that are deemed necessary to shut down criminal activity.
  • Allow civilians to react when they become targets of a cybercrime by using reverse-hacking tools similar to those available to law-enforcement services.

To me, the above solutions are more of the same and piling bad on top of bad doesn't improve anything. But wait, Brenner and Clarke aren't done yet, here's where they step outside the box.

Prevention not reaction

Prevention is not a new approach, what makes their thinking unique is how they want to accomplish prevention:

"The critical aspect of the new model lies not in prescribing specific preventive measures but in shifting the focus from reaction ("cybercrime is law enforcement's responsibility") to prevention ("It's my responsibility to protect myself").

We must realize that we are the front line of defense against cybercrime; we must understand that our carelessness could facilitate a successful cyberterrorist or information warfare attack on the critical infrastructures of our society."

So, there's the big shift. They want each of us to take responsibility for our on-line activities. That makes sense to me, but I'm an IT security advocate. What's their plan for gathering every computer user in the world into one-cohesive group?

Now for the kicker

To say the least Brenner and Clarke are realistic. They know that users won't buy into this type of program automatically. So they got creative. Remember, I mentioned earlier that the problem with cybercrime is that criminals are hard to apprehend. Well, that doesn't apply to us users does it? I'll let them explain how it works:

  • One who uses cyberspace to engage in activity without having taken all reasonable measures to protect herself from being victimized assumes the risk.
  • The fact that one assumed the risk of victimization cannot be used as an affirmative defense in a prosecution for conduct involved in that victimization.

So, place all the responsibility on the user, eliminating any possibility of civil litigation. Just to make sure, let's include the option of criminal prosecution for negligence. Here's their reasoning:

"Assumed risk creates a disincentive by negating the expectation that law enforcement will redress one's victimization by apprehending and sanctioning the perpetrator.

The second principle creates such a disincentive by imposing criminal liability on those who fail to prevent cybercrime. One who aids and abets a crime is liable for it as if he committed it."

That's quite a shift

It seems that they want to hold each of us liable for the health of the entire Internet. I've been trying to come up with a real-world example of something similar. But, I'm not having much luck. If you have examples, I'd appreciate hearing about them.

Final thoughts

You can imagine the range of emotions I went through as I read Brenner and Clarke's report. After all is said, I feel they have a good grasp of the problem. What I'm not sure about is their solution.


Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks