Should the users be punished if they get hacked?

Should the users be punished if they get hacked?

An interesting idea has been put “out there in the world” by a Rochester Technology Institute professor, Josephine Wolff, during the Aspen Ideas Festival 2016, an idea which could teach the regular users how to protect their devices against bad-intended people: what if users would get punished for being hacked?

“The question in my field (cyber security) that I think would most benefit from more vigorous, widespread debate is what degree of responsibility and liability individual Internet users should have for participating, unknowingly, in the perpetration of cyber crimes and data breaches.”

Whenever we talk about people and computers, I believe there are mainly 2 types of people: people with great computer skills and people with not that great computer skills. Those with skills, have preferred to seek and practice a deeper understanding of how a computer works, those with not that great computer skills have preferred to mainly learn how to use the computer. These are the 2 cores types of the computer people.

“The (generally well-meaning) people whose computers are infected and become part of the large bots that spew phishing emails and ransomware, or who click on the links and attachments in those phishing emails and carelessly surrender their login credentials or the contents of their hard drives play an enormous and devastating role in many (perhaps most) of the major cyber security incidents that occur today.”

It’s not about labeling but more about trying to understand that on the Internet, in the last 25 years, we’ve created a society. All of us. In the last 25 years we’ve tried harder and harder to accommodate each other by bringing ideas from our own physical reality into the virtual one which is an organic, normal, natural human evolutionary process, I believe. We’ve tried so hard for our virtual reality to reflect the physical one. And we still do. Because we see unlimited potential. And, what rational being wouldn’t want to exploit all that potential?

“And yet, for the most part, discussion of these careless mistakes and oversights on the part of people with poor computer hygiene centers on the need for better education and awareness-raising. Very rarely do we grapple with the question of whether, perhaps, the only way to get individuals to take this seriously and actually change their behavior––to be more attentive to issues of security––is if there are concrete penalties and consequences associated with participating in bots, falling for phishing attacks, failing to install security updates, and other basics of computer hygiene.”

Now, in the above quote, professor Wolff is aware that people make mistakes but it puts pressure on the inexperienced user. She’s aware that most cyber crimes happen because of those with less computer skills. It’s an exploit the opposition is taking advantage. Isn’t that the way hacking works? By exploiting?

An important number of cyber crimes is a mix between software (even hardware) and social engineering. The software and hardware part, most people are familiar with it – we’ve all seen movies, we’re all familiar with computer viruses, cyber theft, etc.. But I want to focus on the social engineering part, the part which most people don’t take into consideration.

Cyber crimes are caused by computer skilled people but they’re not experts just on how to use computers. They exploit the inexperienced users’ mind also. Think about all the click baiting that exists on the Internet. Think about all the times a link, a spam or an ad made you believe into something and it has taken you places on the Internet which by the time you’ve realized you’ve made a mistake, you were already a victim. That’s social engineering. It’s not that much hacking software involved in the process as it’s social hacking, if you will.

Cyber security is not just about computer skills and how to protect yourself. Cyber security is about wanting to know how to protect yourself, about wanting to grow. Because, we’ve put so much into this World Wide Web we’ve created so far, for some people, it’s hard to keep up. Though, the inexperienced user should understand that, we’re the ones who created it in the first place. The inexperienced user wanted to take part of it immediately after he created his first ID, his first e-mail account, etc.. Of course, these are times when, the Internet is growing so fast that, you’re constrained to be a part of it. You’re constrained by your electricity, phone, Internet providers and so on. Professor Wolff adds:

“This possibility raises difficult and important questions, especially around how we distinguish people who make stupid mistakes, for which there should be consequences, from those targeted by truly sophisticated adversaries, who should not be penalized for falling victim to a scheme that no one could reasonably have been expected to defend against. It also raises the crucial issue of how much technical support, signaling, and warnings are required for such a system to be viable and fair, as well as significant challenges of enforcement and attribution.

All of these are questions worthy of greater discussion and debate––as unpalatable as it may seem, at first glance, to contemplate the possibility of individual liability for unintentional complicity in computer crimes.”

I agree with the fact that cyber crimes can be slowed down and even stopped. If the inexperienced user wants to keep up. Learn. It’s 2016. A professor of a technology institute is already having ideas of making the inexperienced user pay for his virtual mistake. Someone actually wanted to debate the idea of putting the inexperienced user to pay fines for his innocence. It seems to me this is a wake up call because, it’s not considered user’s innocence anymore.

It’s not good enough to just know you need an antivirus, not good enough to just know how to type an address and click a link. The inexperienced user should start investing in his computer skills. Just like an inexperienced person has to do in the real world if he wants a better job. The inexperienced user wanted a virtual ID. He needs to start learning how to really protect it.

LinkedIn, the professionals’ network, a place where users create their CVs and interact with companies, a place where they have the opportunity to get a job, found out that in 2012 it had security breach. LinkedIn statistics showed that “123456” was the no. 1 most weak password used by LinkedIn users (753305 accounts), “linkedin” (172523 accounts) as the 2nd and “password” (144458 accounts) as the 3rd. Summed up, 1070286 of victims.

The inexperienced user won’t start improving his computer skills by paying a penalty. Fear can be a hard motivator (after all, the experienced users got click baited, infected and scammed too, before they had any computer skills, right? – so, they had to learn how to protect themselves against all of those) but it sounds all too harsh: he’s using his computer for his small rutine for years now, and the minute he steps out of the fence, he gets punished.

So that it can teach him a lesson to think twice every action, on every web border he sees. No. The Internet is a virtual reality but free. And, in a free world, you still have a choice when limits exist in place. A choice of crossing those limits or stay inside them, both at the inexperienced user’s expense.The inexperienced user will learn when there’s awareness. He’ll do that by wanting to become the experienced user by choice. 

And, taking it to the next level: it’s a fact that this year, CEOs from Facebook, Google, Spotify had their accounts hacked for reusing passwords – in an environment in which the user has to pay for getting hacked, how would their innocence work?

Quotes source: The Atlantic.

Leave a Reply

Your email address will not be published. Required fields are marked *