Should the Careless Be Punished for Getting Hacked?


A computer security expert grapples with how to better protect us from cyberattacks.

Nearly everyone with internet access is harmed, at least indirectly, by digital criminals.

Josephine Wolff, a professor at the Rochester Institute of Technology, believes cybersecurity policy would benefit from a debate about if and when it might be appropriate to punish careless computer users for their role in enabling those criminals.

She writes:

The question in my field (cybersecurity) that I think would most benefit from more vigorous, widespread debate is what degree of responsibility and liability individual Internet users should have for participating, unknowingly, in the perpetration of cybercrimes and data breaches. The (generally well-meaning) people whose computers are infected and become part of the large bots that spew phishing emails and ransomware, or who click on the links and attachments in those phishing emails and carelessly surrender their login credentials or the contents of their hard drives play an enormous and devastating role in many (perhaps most) of the major cybersecurity incidents that occur today.

And yet, for the most part, discussion of these careless mistakes and oversights on the part of people with poor computer hygiene centers on the need for better education and awareness-raising. Very rarely do we grapple with the question of whether, perhaps, the only way to get individuals to take this seriously and actually change their behavior––to be more attentive to issues of security––is if there are concrete penalties and consequences associated with participating in bots, falling for phishing attacks, failing to install security updates, and other basics of computer hygiene.

This possibility raises difficult and important questions, especially around how we distinguish people who make stupid mistakes, for which there should be consequences, from those targeted by truly sophisticated adversaries, who should not be penalized for falling victim to a scheme that no one could reasonably have been expected to defend against. It also raises the crucial issue of how much technical support, signaling, and warnings are required for such a system to be viable and fair, as well as significant challenges of enforcement and attribution.

All of these are questions worthy of greater discussion and debate––as unpalatable as it may seem, at first glance, to contemplate the possibility of individual liability for unintentional complicity in computer crimes.

On Friday, Wolff will speak on the subject “Who Should Safeguard Our Data” during a panel at the Aspen Ideas Festival, co-sponsored by the Aspen Institute and The Atlantic.