security

Schrödinger’s Hacking Law And Cyber Burnout: Capacity Building in U.S. Cybersecurity – Council on Foreign Relations


In 2021, more than 2.7 million jobs in cybersecurity were unfilled. The dearth of cybersecurity experts serving anywhere in government and private industry has been described as a national security threat and an imperative. There are two reasons for this severe shortage of people in cybersecurity: bad law, and missing mental health support. 

First, the bad law–which makes it arguably illegal to learn to be a computer security expert–has a villain’s backstory. In 1986, thanks to policymakers who were overly terrified by a 1983 fictional movie starring Matthew Broderick called Wargames (to be fair, this movie along with 1992’s Sneakers and 1995’s Hackers is beloved among the cybersecurity community), the United States got stuck with a truly terrible law called the Computer Fraud and Abuse Act (CFAA). And every day since, every person who’s been recruited to serve as a cyber warrior by the U.S. government has no idea whether they are a de facto multiple felon. There’s no real way to determine whether a CFAA violation has or will actually happen if you’re practicing on almost any computer using almost any technology, because interpretations of that law are up to the individual understanding of any local prosecutor, and local criminal prosecutors do not, in my sadly-more-than-typical involvement in CFAA prosecutions, have a great deal of understanding of the finer points of computer network access. 

This lack of prosecutorial technical knowledge makes the CFAA uniquely problematic. Most prosecutors and juries can intuitively understand things like assault, drugs, and theft, but prosecutorial discretion in tech crimes, when those prosecutors do not understand the tech itself, means that many prosecutors rely on their emotions and politics to determine whether to prosecute someone under the CFAA. The CFAA, and the lack of technical knowledge of prosecutors combined with the range of discretion it offers them, makes learning offensive cyber techniques a kind of Schrödinger’s felony.

More on:

Cybersecurity

Technology and Innovation

If policymakers had reacted to watching Jaws by banning surfing and leaving enforcement up to prosecutors who’d never learned to swim, you’d have the marine equivalent to the Computer Fraud and Abuse Act. Eventually, you’d end up with no one able to cope with oceanic threats other than those who’d been willing to break the law to brave the waves. Then, imagine that the United States had a severe shortage of Coast Guard applicants who could already swim, fish, survive in hurricanes, and engage in deep sea rescue, and was totally bewildered as to why this shortage existed.



READ SOURCE

This website uses cookies. By continuing to use this site, you accept our use of cookies.