Cybercrime is illegal. When a cybercriminal gets caught hacking into Google's servers or distributing ransomware, they'll go to jail. To decide whether or not to carry out an attack, a cybercriminal considers three big-picture items:
- The value they expect to gain for themselves by attempting the attack.
- The probability of getting caught.
- The punishment they expect to receive if they do get caught.
The threat of punishment is meant to deter cybercriminals from carrying out their attacks. In theory, increasing the probability of getting caught, or increasing the punishment, should reduce the amount of cybercrime. It will, but there's a cost.
By having excellent OPSEC practices and correctly taking advantage of technologies like Tor, the cybercriminal can make their probability of getting caught as small as they would like. In order to catch criminals hiding behind these technologies, law enforcement will need ever broader access to information on the Internet. Moving forward this way, we're trading off the cybercriminals' for the governments' access to our online lives. Who would you rather have in your computer, a cybercriminal looking to make a quick buck off your data then leave, or your government? If you're less of a fan of the government having access to your stuff, then you ought not to support increasing the criminals' probability of getting caught.
Making the punishments more severe is a poor idea too. We've see again and again people being prosecuted under cybercrime law for "crimes" that shouldn't have been crimes. Skilled cybercriminals will avoid the punishments. They will land on innocent hackers and security researchers who are only trying to protect us. Even if the system could correctly distinguish between security researcher and cybercriminal, the criminals will inevitably frame innocents for their crimes. As long as it is easier and more likely for an innocent person to be convicted than themselves, they don't have to worry about getting caught.
If we let law enforcement increase its chance of catching the criminals, we get a bad outcome. If we increase the punishments for cybercrime, we get a different bad outcome. That's a hint we should think about decreasing both.
What if we legalize cybercrime?
Let me paint a utopian world for you, where all kinds of cybercrime – hacking, ransomware, DDoS, etc. – are entirely legal.
With no law to hide behind, companies will put a much more serious effort into making products that are secure from day one. The "Nobody will do this because it's illegal!" excuse is gone. With no chance of remediation, companies will be responding to the successful attacks on their own. They will design their systems to survive a breach and they will push for more secure industry-wide standards. The standard for payment on the Internet should not allow itself to be stolen out of a database dump as easily as a credit card number is. Identities should not be easy to steal.
Worried about cyberwar? Country A is at war with Country B. For the last 5 years, all forms of criminal hacking have been legal in Country A. Country B wastes resources trying to catch and punish criminal hackers. Which country's infrastructure is more robust and harder to attack? Who will win the cyberwar?
The security industry would be thriving full of researchers finding and fixing the flaws in the products we use every day – without fear.
Alas, this is a utopian dream. There are downsides to legalizing cybercrime. At first it would create chaos. All the cybercriminals currently put off by our laws would rush onto the scene overnight. But over time, the chaos would subdue to reveal a robust digital economy that's secured by code and mathematics, having no need for law.
Worse than the chaos legalization would create, what's legal for now-cybercriminals would become legal for law enforcement and other employees of the government. I argued that we should brave cybercriminal attacks instead of giving our governments a wider window into to the more-personal parts of our online lives. If we made cybercrime legal without adding protections against government hacking, they would trade their lawful access for 0days, and we might end up worse off.
There are other crimes – like distributing child pornography – that need to be investigated on the Internet. So legalizing cybercrime wouldn't end the government's desire to surveil the Internet. To really make this work, we would need to mitigate those crimes in different ways.
While we can dream of a future where cybercrime is legal and we rely on our code and math to protect us, completely legalizing it today is not our best option. Nevertheless, we should consider moving in that direction. If nothing else, then as we're working hard on technical fixes to our problems, let's remember that other entities are trying to mitigate the risk through different means like the law. Let's make sure our goals stay aligned.