How to Punish Cybercriminals
Interesting policy paper by Third Way: “To Catch a Hacker: Toward a comprehensive strategy to identify, pursue, and punish malicious cyber actors“:
In this paper, we argue that the United States currently lacks a comprehensive overarching strategic approach to identify, stop and punish cyberattackers. We show that:
- There is a burgeoning cybercrime wave: A rising and often unseen crime wave is mushrooming in America. There are approximately 300,000 reported malicious cyber incidents per year, including up to 194,000 that could credibly be called individual or system-wide breaches or attempted breaches. This is likely a vast undercount since many victims don’t report break-ins to begin with. Attacks cost the US economy anywhere from $57 billion to $109 billion annually and these costs are increasing.
- There is a stunning cyber enforcement gap: Our analysis of publicly available data shows that cybercriminals can operate with near impunity compared to their real-world counterparts. We estimate that cyber enforcement efforts are so scattered that less than 1% of malicious cyber incidents see an enforcement action taken against the attackers.
- There is no comprehensive US cyber enforcement strategy aimed at the human attacker: Despite the recent release of a National Cyber Strategy, the United States still lacks a comprehensive strategic approach to how it identifies, pursues, and punishes malicious human cyberattackers and the organizations and countries often behind them. We believe that the United States is as far from this human attacker strategy as the nation was toward a strategic approach to countering terrorism in the weeks and months before 9/11.
In order to close the cyber enforcement gap, we argue for a comprehensive enforcement strategy that makes a fundamental rebalance in US cybersecurity policies: from a heavy focus on building better cyber defenses against intrusion to also waging a more robust effort at going after human attackers. We call for ten US policy actions that could form the contours of a comprehensive enforcement strategy to better identify, pursue and bring to justice malicious cyber actors that include building up law enforcement, enhancing diplomatic efforts, and developing a measurable strategic plan to do so.
Mike Acker • November 2, 2018 6:29 AM
I think those who slam out products that are weak on security bear just as much responsibility as the “hackers” who leverage weak software/firmware, and, perhaps, “backdoors” that bypass logons and encryption.
addressing product liability won’t be easy. to start we should take care to observe that “solutions” are built using many tool sets: the O/S, the compilers and libraries, the product itself, as well as the various network services.
the solution then ought to focus on assigning responsibility for quality in a limited manner: everyone in the chain plays a part and is responsibile for that part of the work over which he has control.
i.e. I check the SHA256 value for my O/S as well as the signatures for those values. I do the same for the compile and library that I will use. I’m responsible for doing these checks.
and finally I’m responsible for the code I develop and test.
use PGP signatures.