Digital2Law Guest Post: Regulations against hacking – the David vs Goliath battle

Far and wide, 2017 has been the year when a combined public and private effort to limit hacking and its effects, has been felt throughout the globe. Things that have moved the needle in this space include a much-awaited response from Facebook regarding the Russian hackers that influenced the results of the 2016 US presidential elections, to large fines taken into account by some governments while seeking to best implement the EU Network and Systems Directive and news about the rather lax stance taken by companies towards cyber security right before major hacks have happened.
The core of any type of measure aimed at preventing hacking and the negative effects arising thereof needs to take into account one major flaw of any regulation – one that is especially relevant in the fast-paced digital age: law is always several steps behind social phenomena. Historically, we have drafted regulations in order to create frameworks for the past or, at best, present state-of-affairs. Especially in today’s world, where the decisional process behind drafting regulations is burdensome and long, the ability to draft a piece of legislation that resists the test of time is a complicated, if not impossible mission.
Unfortunately, cyber hacking manages to keep up the pace far better than remedies against it. This begs the question:

How well are some of the current regulations against hacking managing to face the hackers’ ingenuity and adaptability?

For instance, the UK’s anti-hacking legal framework is largely guided by the Computer Misuse Act of 1990. In its initial drafting and subsequent changes, all acts of accessing computers or technical systems and infrastructures without authorization were considering as crimes if performed with intent – no negligence or other type of fault would have made a person liable under the law. It was only until 2006 that cases like DDoS attacks were also covered by the law, by including the situation of impairing or creating faults in a system. The need arose from a practical case which could not have been fallen under the original drafting of the law.
On the other side of the Ocean, the US Computer Fraud and Abuse Act (CFAA) was drafted at a time (the late ‘80s) when access to technology was not that widespread, and a critique which has been lately brought in connection to its drafting is that it is too wide in scope compared to the advances that have happened in the past almost 40 years. As an example, courts in the US have dealt with cases where the subject matter was a private server being hacked, and the legal piece used in the analysis was the CFAA. The piece was drafted mainly to protect national security systems from external meddling, so its root cause was public safety, and not an overarching protection and conditions applicable for all types of technical infrastructures. As a result, it has been applied in cases that range from widespread worm infection of computers to the effects of bad language used on the Internet on social media profiles. Quoting from the article linked above, “Congress set out in the 1980s with only the vaguest notions of what computer technology would become and how we would use it a few decades later.”

A final example comes from China – starting with 1997, cyber crime has been regulated under the country’s Criminal Code.

Given the country’s status as an emerging economy, it made sense to have a handful of general provisions included in a general piece of legislation rather than regulating these activities separately. Only as recently as 2016, with the advent of terrorism and cyber attacks guided by terrorist organisations has the Chinese government decided to enact a separate piece of legislation to address these issues. Its drafting is a mirror of the Chinese authorities’ desire to still have a tight grip on activities in the digital space, and it is reflective of the direction that the country has evolved its tech sector: by building local digital products and services and restricting access to those originating from other markets. There is little information available about the state of hacking happening on China, as most Western outlets focus on Chinese hackers breaking into other countries’ systems – some attacks by the Anonymous group or a counter-offensive by Google to an initial Chinese hack are the only examples we could find, but they all date pre-2016, when the new law was enacted.
Digital2Law is the go-to flexible and affordable legal partner for entrepreneurs, startups and companies building tech products and proprietary technology, and a network of experts & know-how adapted to the current and future state of the workplace.

    Related articles​

    Securing the cloud: insights on threats, ..

    BY Adina Harabagiu
    There is no mystery that everything nowadays has a digital component. A growing number of companies are ..

    Striking a balance between security updates, ..

    BY Adina Harabagiu
    The world of cybersecurity is fast paced, there’s no denying it. Innovation is constant and threats are ..

    Pentesting: a tool for empowering – not ..

    BY Adina Harabagiu
    You’ve likely caught wind of this rising tide – offensive security, pentesting, and #RedTeams are not ..