from the unintended-consequences dept
One thing we’ve talked about for years is that lawmakers are notoriously bad at thinking through the unintended consequences of legislation they put forth. They seem to think that whatever they set the law to be will work perfectly, and that there won’t be any other consequences. This is one reason why we’re so wary of simple “fixes” even when the idea or purpose sound good up front. “Protecting artists” sounds good… unless it destroys the kinds of services artists need. Cybersecurity sounds good, unless it actually makes it easier to violate your privacy. And, now, people are realizing that not only may cybersecurity rules like CISPA be awful for privacy, but they could potentially lead to more “cyber” attacks, as companies look to “hack back” against those who attack them. As Politico describes:
The idea is known as “active defense” to some, “strike-back” capability to others and “counter measures” to still more experts in the burgeoning cybersecurity field. Whatever the name, the idea is this: Don’t just erect walls to prevent cyberattacks, make it more difficult for hackers to climb into your systems — and pursue aggressively those who do.
So, how would cybersecurity rules create more hacking? Well, possibly by encouraging this kind of behavior by providing some amount of cover for it. The Cybersecurity bill in the Senate last year included an undefined allowance for “counter measures.” CISPA doesn’t explicitly mention that, but some in the security field are interpreting the bill to provide some amount of cover for such “counter measures” in which they could “perform hacks against threats.” But, if you’re trying to discourage online attacks, that seems like a problem. The likelihood of someone attacking the wrong target is quite high, and it could create quite a mess.
Thankfully, the folks behind CISPA suggest that they’re willing to change the bill to make it more explicit that such countermeasures are not allowed, but until that’s in place, it’s a serious concern:
Some of those fears have reached Rep. Mike Rogers (R-Mich.), chairman of the chamber’s Intelligence Committee and one of CISPA’s lead authors. In fact, panel aides told POLITICO they’re open to revising the relevant definitions in the bill. And Rogers himself this year has railed on the idea of an aggressive active defense, describing it as a “disaster for us” at a time when the country’s digital defenses remain subpar.
Even if they fix this particular hole, it’s these kinds of things that should worry all of us about broad laws that provide things like blanket immunity over ill-defined concepts like “cybersecurity” and “cyberattacks.” The likelihood of it being abused is quite high, especially in an ever changing technology world. Just look at computer laws like the CFAA and ECPA, which cover various computer crimes and privacy today. Both are ridiculously outdated, with concepts that are laughable by any rational view today. And thus, there are massive unintended consequences associated with both laws. Before we rush into creating new laws with big broad vague terms, perhaps we should focus on fixing the old laws and proceeding with caution on any new ones.