A new law proposed in the United Kingdom on Wednesday would offer life sentences to hackers who carry out “cyberattacks which result in loss of life, serious illness or injury or serious damage to national security, or a significant risk thereof,” the Guardian reports. Yet the law would not only focus on dangerous attacks affecting the country’s national security, because the increased sentence would also apply to hackers conducting corporate espionage, making the law just as harsh on those accused of stealing secrets as it is on cyberterrorists.
This misguided attempt to prevent the theft of trade secrets couldn’t come at a worse time. As the Guardian explains in its report, the law would criminalize actions that ultimately improve the Internet’s security, and therefore help the companies this law would portray as victims:
Any researchers looking for the recent Heartbleed bug, which left a vast number of websites open to attack, could have been charged under British hacking laws, said Trey Ford, global security strategist at penetration testing firm Rapid7. ‘It’s concerning that the law designed to protect people from cybercrime also penalises activity designed to identify areas of cyber risk,’ he said.
Invoking the Heartbleed bug should be enough to make any rational person reconsider a law that might prevent people from detecting serious threats to Internet security. There are few people actively searching for problems with security tools, and criminalizing those searches would only make those searches even less appealing. Given the fact that Heartbleed escaped detection for two years even though two-thirds of the Internet relied on the OpenSSL protocol it crippled, stopping the hunt for similar bugs might be more dangerous than the hunt itself.
But, then again, lawmakers aren’t particularly well-known for their even-handed approach to prosecuting digital crimes. Just consider the case of Barrett Brown, an activist journalist who has been threatened with 100 years in prison for sharing a link to a page with stolen credit card numbers. Or consider instead Aaron Swartz’s suicide, which followed an infamously harsh investigation into his decision to download files through a laptop connected to MIT’s network, and brought overzealous digital copyright laws to the forefront. Prosecuting those who break overzealous digital copyright laws and the like has become the modern witch hunt.
Now the British government is thinking of literally equating “corporate espionage” or actions that look like they might have been motivated by the desire to steal industry secrets — again, like those used to find critical security problems that businesses, governments, and consumers alike would probably prefer to be found — with acts of terrorism that lead to the death, injury, or illness of others. The only thing missing from this proposed law is a provision stating that anyone who weighs the same as a duck is obviously a witch… er, sorry, I meant to say “hacker.”