Close this menu

Catch the Criminals – Don’t Pass the Buck

When a crime is committed it’s the criminal that is responsible.  But some in Congress think that since capturing cyber-criminals is challenging we should hold online services accountable.  That’s like holding Ford accountable for making the car a bank-robber uses.

But that didn’t stop the attempts by Sen. McCain to assign false blame at today’s Senate hearing on a threat to consumers called “malvertisements” — when a cyber-criminal injects malware into an online ad and then misleads an ad network into displaying the contaminated ad.

I appreciated the shift in focus from privacy to security as threats to consumers’ security pose real harms.  Unfortunately, the hearing was more about trying to assign liability rather than talking about catching the criminal perpetrators of this new form of malware.

[pullquote]Worry less about assigning liability. It’s clear where liability for any crime rests, with the criminal.[/pullquote]

Everyone in the hearing agreed that it is the criminal who is responsible for this attack – but online advertisers were the ones that Sen. McCain was holding accountable.

Not once during this hearing did I hear mention of the Computer Fraud and Abuse Act (CFAA) which gives law enforcement the power to send criminals to jail for injecting this malware.  Not once did I hear mention of the Department of Justice’s cyber-crime division.  While the FTC was called to testify and has proper authority to address these concerns, its funding is not so sizable and it’s manpower so great that it can address this threat.

For the legislators asking, “what should government do?”  I suggest the following:

  1. Worry less about assigning liability.  It’s clear where liability for any crime rests, with the criminal.
  2. We have laws that criminalize malvertisements: the afore mentioned CFAA and the FTC’s Section 5 authority.
  3. So what government can do is increase the funding and resources of our law enforcement agencies to track down and bring to justice the cyber-criminals creating these malware attacks.

We create laws to be enforced.  Rather than calling a hearing to discuss who other than the criminal should be accountable, we should instead be talking about what we’re doing to stop the criminals and how to arrest them when they commit these crimes.