I have an idea for a solution. Legalize hacking, let everyone hack each other and spy on each other and what not, make every company out there explicitly aware that the internet is a jungle. This will create a demand for security and force software and hardware manufacturers to actually care about security and so on.
The internet is already a hostile jungle (look at the logs of any server you control). Legalizing hacking won't change that. It will just add a little more immunity to bad actors.
And it's kind of a legalize burglary, so that people will be forced to live in fortified compounds.
The NRA approach to safety and securing yourself and belongings. If everyone has a gun, everyone will be safe. Except for those who once owned guns and after a very scary mishap believe that it's safer to not own guns, and those that have already criminally mishandled guns and used them in commission of serious and violent crimes, and those who after weeks at the shooting range still can't hit the broadside of a barn. Except those people, everyone will be safe. Oh, and children. Screw the children, because they just don't have the mental capacity to understand the consequences that may occur after one shoots another.
I like this plan. Can't wait for my father, who can barely figure out how to attach a picture to an email in AOL's webmail to start poking for XSS and CSRF vulnerabilities on the sites his spam mail links to, and changing his username to "1;DROP TABLE users" everywhere.
Cyber weapons are already legal to download and posses, it's a very different story from guns. Imagine if your competition could be legally allowed to steal your trade secrets, clients, employees, but only through hacking. Would you not care enough to invest into security?
Perhaps rather than legalizing hacking, we should inject a common middleman into the vulnerability reporting process. In the US, it could be the Consumer Product Safety Commission. It would ensure that those accepting reports are knowledgeable and treat the report as important and also protect companies from having to deal with random white hats. Serious enough vulnerabilities could result in fines that are partially paid to the reporter as a bounty. It would also protect white hats from threats or retribution since they could remain anonymous if they choose.
We already have a process in place to deal with flaws in products produced by unlicensed entrepreneurs. We just need to extend it to apply to software products and services.
No, it wont. Because people hack right now too. What it would do however, is that people who have ethical considerations would have to step back against people who dont have them. So, prepare for a lot of insider attacks and back doors. Not that those don't exist now, they do. But your proposal would put more advantage to bad actors as they hAve now, so they would get their way more often.
