Should cybercrime be a capital offense? No, wait, hear me out.
A major pipeline operator had to shut down operations due to an apparent ransomware attack. Details are a bit sketchy, but Colonial Pipeline, which is responsible for transporting a major percentage of the gasoline for the East Coast, apparently got hacked and had to shut things down. No word yet on when service will be restored.
Ransomware and other cyber crimes have been in the news a lot over the last few years. Russian and other international hackers have managed to install malware on any number of American companies’ and government agencies’ systems. Others have managed to disrupt operations at schools, hospitals, and state and local governments. I see no reason not to expect these kinds of crimes to continue, at least until the white hats in the information technology field figure out consistent ways to thwart them.
This got me thinking about crime and punishment. I mean, cybercrime flourishes at least in part because of relatively small overhead—what does an enterprising hacker really need beyond their own skills and an internet connection?—combined with relative apathy towards the consequences. Sure, if caught, you might go to jail. But getting caught is not guaranteed, and there’s potential to make millions of dollars if you target the right people. The risk-reward calculation seems out of whack.
Now, I’m not really a death-penalty enthusiast. I do think some crimes are so heinous and perpetrators so unrepentant, that the death penalty is appropriate. At the same time, I sympathize with people who argue that the death penalty is barbaric, and I agree that it’s applied in a discriminatory way—and far too prone to error. Just today comes a report that, after Ledell Lee was executed for a 1993 murder, DNA evidence was found that points to another suspect. Personally, I wouldn’t have any major concern if the death penalty were abolished.
Still, if we MUST have the death penalty, we should think about its efficacy less as punishment than as deterrent. And in this sense, I think we’ve made the wrong things into capital offenses. Murder is a capital offense, for example, but fear of the death penalty doesn’t prevent murder. If someone really wants someone else dead, they’re not likely to be swayed by a fear of consequences. Similarly, certain crimes against the state, like treason, are punishable by death—but traitors, whatever else you may say about them, see themselves as pursuing a cause greater than themselves and are often all too happy to embrace martyrdom.
Cyber criminals, though? They’re in it for the money. And with a low-risk/high-reward calculation, why wouldn’t someone with the basic skills to extort deep-pocketed victims take advantage? But what if the consequences of getting caught were exponentially worse? Might this not convince some people that it’s really not worth the effort?
And lest you think this too extreme—that it’s an example of the punishment being wildly disproportionate to the crime—consider that we’re not just talking about a hacker making it impossible to access your email or deleting a few files from your computer. We’re talking about things like potentially shutting down hospitals or knocking a city’s electrical grid offline. The consequences could most definitely be life-threatening.
We are, for better and for worse, so technology dependent as a society, that attacks on internet connections should probably be considered in much the same way as would an attempt to poison a water supply or blow up a bridge. Unless and until authorities start treating these acts as such, we’ll only see more and more of these attacks. Many of them will simply be nuisances, but some of them won’t. And it only takes a few of the worse attacks to cause mayhem.
No comments:
Post a Comment