The Great "Cyber" Con

Hackers and hacking have been much in the news recently - for all the wrong reasons, unfortunately. The most dramatic case, perhaps, was the suicide of Aaron Swartz. He was threatened with 35 years in prison, partly for this: a...

Share

Hackers and hacking have been much in the news recently – for all the wrong reasons, unfortunately. The most dramatic case, perhaps, was the suicide of Aaron Swartz. He was threatened with 35 years in prison, partly for this:

a terms-of-service violation: when Swartz tried to download thousands of academic articles, he did so as an authorized guest user of the M.I.T. network. He didn't actually "hack" or "break" into the network; he violated the terms of service for guests by downloading too much stuff.

That's possible thanks to the US Computer Fraud and Abuse Act:

the most outrageous criminal law you've never heard of. It bans "unauthorized access" of computers, but no one really knows what those words mean. Orin Kerr, a former Justice Department attorney and a leading scholar on computer-crime law, argues persuasively that the law is so open-ended and broad as to be unconstitutionally vague. Over the years, the punishments for breaking the law have grown increasingly severe—it can now put people in prison for decades for actions that cause no real economic or physical harm.

Indeed, here's an example from just last week:

Today in astonishing prison time for computer crimes: Andrew ‘weev' Auernheimer has been sentenced to 41 months in jail, pretty much because he handed over some iPad email addresses to Gawker. Yes, that's a very long time for something that might not even be considered a crime. In addition, Auernheimer has to pay $73,000 to AT&T, all allegedly because he obtained "unauthorized access" to AT&T's information. The feds are using the now all too familiar charge of conspiracy to access a computer without authorization, along with a count of identity fraud — both of which Auernheimer was found guilty of back in November — to back up the three-plus years in prison, which he's appealing.

And here's another:

Keys who was terminated from the Tribune Company before he allegedly helped hackers from Anonymous break into the Los Angeles Times website and deface a single article. It was fixed within 30 minutes.

The suggested punishment for this crime?

up to 25 years in prison and $750,000 in fines for a few keystrokes.

As the last article points out:

Keys would've been better off putting his old Tribune boss in the hospital. Indeed, the maximum penalty for aggravated assault is 25 years in prison, based on the state. In New York, the fine cannot exceed $5,000. So should the criminal justice system treat computer nerds like violent criminals? Is it equally as harmful to society when a hacker replaces a headline on a news site with a weird joke — that's basically all Anonymous did with Keys' help — as it is to beat someone with a crowbar? Most reasonable people probably wouldn't think so, but it seems like federal prosecutors are not reasonable people, when it comes to computer crimes.

Whatever you think about the particular actions of the people involved, it's clear that the sentences are completely disproportionate – in many cases, hackers are being threatened with longer terms than those meted out to just about every category of serious criminal, including murderers. So the question has to be: why?

Basically, this is payback time. For the last twenty years, governments around the world have watched with horror as this strange new Internet thing gathered strength and power, until it reached the point where individuals could use it to come together to challenge many fundamental aspects of governmental control. In particular, the Internet could be used to disseminate information that was inconvenient or even downright dangerous for governments. That made the people who got hold of that information real enemies of the state – at least in the eyes of the governments concerned.

The idea of the current round of extreme sentences is to send out a message to other hackers and activists: the same could happen to you. The aim is to chill the use of the Internet to expose information that governments around the world would rather not have out in the open.

One of the clearest manifestations of a conscious plan to criminalise online activity is the sudden efflorescence of the "cyber" prefix. Today, we constantly hear about "cyberwar", "cyberattacks" and "cybersecurity", usually in the context of absurd claims, as in the following, which comes from the US Director of National Intelligence James Clapper:

Cyber attacks and cyber espionage pose a greater potential danger to U.S. national security than al-Qaida and other militants that have dominated America's global focus since Sept. 11, 2001, the nation's top intelligence officials said Tuesday.

For the first time, the growing risk of computer-launched foreign assaults on U.S. infrastructure, including the power grid, transportation hubs and financial networks, was ranked higher in the U.S. intelligence community's annual review of worldwide threats than worries about terrorism, transnational organized crime, and proliferation of weapons of mass destruction.

Wow, are we frightened yet? But then he makes the mistake of getting a little more specific:

Clapper said computer hackers "could access some poorly protected U.S. networks that control core functions, such as power generation" although their ability to cause "high-impact, systemic disruptions will probably be limited."

So in fact this isn't quite Armageddon, since "high-impact, systemic disruptions will probably be limited." Moreover, he admits that what he is talking about here are "poorly protected U.S. networks". In other words, the problem isn't "cyber" anything, it's just everyday incompetence on the part of the people running these important systems. Indeed, this lies at the heart of the case involving "Weev", discussed above, who is being subject to exemplary punishment for exposing a serious security hole in AT&T's system.

The real solution to minimising threats to critical infrastructure – and, indeed, to ordinary commercial systems – is quite simple: make companies responsible for the consequences of lax security, not the people who point it out. The threat of huge fines hanging over them would concentrate the minds of those whose job is to secure sites wonderfully.

So why don't governments around the world seize what is an extremely simple technical fix that addresses the problem at its root? After all, no amount of sabre-rattling or threats of long prison sentences will stop criminal attacks that originate from unknown and probably well-hidden actors overseas. The answer can be found in the EU's very own "cybersecurity plan", part of which foresees granting extensive new powers to the European Network and information Security Agency (ENISA), as explained here by Ross Anderson, Professor in Security Engineering at Cambridge University:

ENISA and the national agencies in its network will have access to "sufficient information" from almost everyone online, in effect extending the data-retention powers from phone companies and ISPs to service providers such as search engines, webmail providers, social networks and computer game operators. That is completely unacceptable as it would violate the constitutions of Germany and other countries (and in view of the hostile report by the UK parliament's review committee in the proposed Communications Data Bill, would likely be unacceptable even in the most surveillance-friendly of the EU member states). Finally, it is extremely difficult to see how such a provision could be squared with Article 8 of the European Convention of Human Rights.

In other words, under the guise of "cybersecurity", the EU is bringing in data retention plans that go way beyond the already excessive ones in place. The US is doing exactly the same with its "Cyber Intelligence Sharing and Protection Act". This is another reason why governments around the world love using this "cyber" word – it's the new "war on terror" that is invoked as a kind of magical incantation to justify any disproportionate new powers without further explanation.

It's time we called the bluff here. Anything that uses "cyber" in its title is a con, and should be laughed out of the room. Yes, attacks take place, but the fact that they take place across the Internet is no different from those using any other technology. Trying to claim that the "cyberthreat" is somehow qualitatively different is merely a demonstration of the abiding ignorance and fear that afflicts our rulers when it comes to the digital realm. If they truly want to address the real, not imaginary, problems that exist, they should try listening to the experts, rather than throwing them in prison.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Find your next job with computerworld UK jobs