How could you possibly make it illegal to host insecure services? Is any service 100% secure? And if it were how would we know?
I do agree with the audit and punishments for clear failure to adhere to established standards.
How could you possibly make it illegal to host insecure services? Is any service 100% secure? And if it were how would we know?
I do agree with the audit and punishments for clear failure to adhere to established standards.
This is a solved problem in pretty much every other domain of life - if you are following best practises but something that wasn't reasonably forseeable happens, then you're fine, but if the bad thing happens as a result of negligence then you are in trouble.
Criminal law isn't about making things alright for the victim. That's what insurance is for.
Even if you leave your door unlocked, if someone walks in and steals your stuff, it's a crime. The state has an interest in prosecuting crimes even if the victim didn't do everything they could to prevent it.
> Criminal law isn't about making things alright for the victim
Restitution and retribution are the components of justice [1] entirely about "making things alright for the victim."
[1] https://www.unodc.org/e4j/en/crime-prevention-criminal-justi...
The company is not the victim here. Its users are. [I suppose my previous comment was a bit ambigious - i meant something bad happens to someone else not to yourself]
A better version of your analogy would be if your landlord failed to repair your front door in a reasonable period of time and as a result soneone walked in and stole your stuff. Yes the theif is the primary responsible party, but the landlords negligence in maintaining the property probably also exposes them to some liability.
P.s. This is neither here nor there, but restitution is a part of criminal law.
"Best practice" in cybersecurity is largely vendor-driven with little to no independent empirical validation.
That standard is likely to lock people into buying some pretty bad software, but it does little to ensure that they're running reasonably secure systems.
I like to relate it to operating an automobile. You can follow every traffic law and still be liable in an accident, because you owned the vehicle that caused the damage. This is why you have insurance.
In civil law maybe, but you aren’t allowed to blame a rape victim for choosing to walk down rape alley…
"established standards" - now who has the incentive to run shitty services? those big enough to control the "established standards".
No building has a 100% chance of not caving in, yet somehow I think charges would be laid if a skyscraper caved in.
The equivalent analogy is charging lock/door/drywall/timber makers and suppliers for lapses if a thief entered the house by picking a lock or drilling/sawing through the wall.
No, it’s more like me storing my money at a bank, and then someone stealing from the bank, who told me they were secure. And turns out they had shitty locks.
This analogy seems to be portraying 'ransomware hackers' as an unstoppable force of nature akin to gravity.
I'm not sure that's a fair analogy.
I think it’s a very fair analogy. The _only_ way to stop them is to make your stuff secure. That’s literally the only way.
Your analogy portrays gravity as a thing that buildings cannot be built to withstand. There are plenty of structurally sound buildings and while there are plenty of secure apps the problem is there’s no incentive to build the latter.
The other side of that spectrum portrays the service providers as pure, negligence-free victims. The truth is probably somewhere in the middle.