Everyone reading this post probably experienced having a credit card or debit card replaced due to security issues. In the case of recent retailer breaches, particular Target, millions of victims experienced the inconvenience of having to replace cards, then replace the card numbers in the numerous auto pay sites. Additionally, many of us experienced breaches at our place of employment, which leads to credit monitoring and the worry of who is using our identities. While the victims experience the pain caused by the cyber-attacks, the pain does not adequately reach the actual cause of the disruptive event.
In the aforementioned scenarios, the corporations, organizations, and government agencies all feel the pain along with the end customer or user. Following the infamous Target breach, the brand experienced impacts on its bottom line and needed to make personnel changes. After the recent breach at the Office of Personnel Management, the employee union wasted little time in filing a legal claim on behalf of the record number of employees impacted by the cyber-attack. Despite the best planned efforts, organizations experience severe impacts to their bottom line, reputation, and even the careers of leadership, especially those with the title of CIO.
But what happens to the perpetrators of such attacks? What happens to the hacker that caused such a disruptive event? While punishments vary by states, the federal penalties do not seem to be very much of a deterrent, unless the crime involved a government breach. Even then it needs to involve national security information to have any teeth. In considering the extent of external effects, we punish our low level drug offenders much harsher than people who commit cybercrimes.
There federal government is taking steps to increase the security of IT infrastructures in both the private and public sectors. In recent bipartisan legislation, greater information sharing is encouraged to help improve cyber security and responses. In addition, the Obama administration did recommend encompassing cybercrimes into RICO law enforcement, which would provide greater deterrents that the current environment. As the case in other crimes, the punishments should be sufficient to make the prospective criminal weigh the risks the planned act exposed him or her to.
While prevention is important, discouraging the crime and administering punishment for criminal acts is just as important. Additionally, too many nations are lax in their approaches to cybersecurity, providing a convenient home to commit cybercrimes. Another area of focus should be encouraging nations to step up enforcement, including recouping loses for crimes committed against Americans and our interests.