Further to the Q&A with Mark James, ESET security specialist, I decided to have a look at a bit of public response and hold an open discussion with my colleagues on the subject of cybercrime and appropriate punishments.
Yesterday I posted my Q&A with Mark James, of ESET fame. We took quite a broad look at the possible life sentence and cybercrime in general.
After posting it quite a discussion started on our LinkedIn group and consequently around the office. Some questions and possible answers came up that I hadn’t yet considered.
Cybercrime vs. Face-to-Face crime
£1 million stolen from a bank is worth exactly the same amount as £1 million stolen via malware, right?
But is £1m stolen at gunpoint from frightened bank tellers and members of the public the same as £1m stolen via click-fraud? No, I don’t think it is.
The physical is inherently more damaging to those involved. Even if no one is actually shot or hurt, the psychological impact could be tremendous.
The danger with this kind of legislation is that Cybercrime could be seen as equivalent to real-world physical crime and subject to similar rulings. I believe that this puts the power in the hands of the cybercriminal.
The Law vs. Cybercrime
Here’s a hypothetical to try and explain what I mean.
A man commits armed robbery and successfully steals £1m from a bank. He is later tracked down, caught and tried. The money is recovered and he is sentenced to life imprisonment. He cannot commit another robbery whilst incarcerated.
At the same time another man creates a piece of malware which steals credit card details. He manages to steal £1m before he is caught and imprisoned for life, just like the other man.
But he also released the program online to his fellow hackers before he was caught. Five of them change the program slightly and launch their own malware attacks, stealing £1m each. You see where I’m going with this?
The scope for digital attack is so much larger than conventional crime: particularly with the Internet of Things growing daily and Smart Cities looming on the horizon.
You can prosecute the perpetrators of cybercrime as much as you like but whether it acts as a suitable deterrent and whether the Law can adapt fast enough will remain to be seen.
Overall I think it’s a ham-fisted attempt to make the general public feel secure after multiple high profile companies have become compromised.