I don't understand how the Sony hack relates to the proposed changes to the CFAA. If the attacker was North Korea--as suggested by the administration (which I don't believe)--then how would increasing penalties for "hacking" or developing (or even sharing) "hacking tools" make a difference? As if we had any jurisdiction whatsoever over there or that the laws of the United States would somehow deter foreign attackers.
If they want to increase penalties for anything it should be for companies failing to secure their systems. Attackers can often use very sophisticated methods to make their way into internal networks but once they're in it's run-of-the-mill, patched-three-years-ago vulnerabilities that let them do the most damage.
There's a lot of negligence going on inside corporate networks in regards to information security and one of the justifications I often hear is that they can't justify increased spending (or spending any money whatsoever) on IT security when the costs of an attack are unknown. If we apply significant punitive damages then the costs would be much easier to calculate and justify.
> I don't understand how the Sony hack relates to the proposed changes to the CFAA.
I'm guessing that the lobbyists behind SOPA, PIPA, CISPA, etc have been trying to push something like this for a while, but now think that the Sony hack has scared enough people that the bill can appear like it has popular support.
> If the attacker was North Korea--as suggested by the administration (which I don't believe)--then how would increasing penalties for "hacking" or developing (or even sharing) "hacking tools" make a difference?
This might be a bit off-topic, but there's potentially a distinction between North Korea being responsible for the hack of Sony, and whoever the people are who actually penetrated Sony's network and extracted/deleted the data. By analogy: if you pay an assassin to kill someone, the law holds both you and the assassin responsible.
I think this is what the government means when they say North Korea was responsible--not necessarily that every participant in the attack was a North Korean in North Korea.
It is well known that NKorea and China are partners in a cyberwar against the west. NKorea's elite hacker team are stationed in China. This has all been documented by various groups and reporters.
I think a lot of the skepticism here and the general praise of autocratic states on HN, are mostly from a lot of people with an anti-US bone to pick or other political agenda. So to them, the US is always wrong, so they hold up NKorea, China, Russia, and Iran as bastions of liberty, honesty, and utopia. Its incredible how delusional these people are.
I also think a lot of people, especially right/libertarian leaning kids, lean toward autocracy and want a "decisive toughguy" leader for their own political and emotional reasons. Democracy, secular enlightenment, separation of powers, etc is seen as weak. Of course, they think the autocrats will be on their side, the same way, many think eugenics is a fine idea because, of course, "my people" will be allowed to procreate. There's a Fox News anchor who famously praised Putin and wished he had a Putin-like president during Russia's taking of Crimea. Of course, western sanctions have all but crippled Russia and the ruble today. I wonder if this anchor is still praising Russia's leadership.
If they want to increase penalties for anything it should be for companies failing to secure their systems. Attackers can often use very sophisticated methods to make their way into internal networks but once they're in it's run-of-the-mill, patched-three-years-ago vulnerabilities that let them do the most damage.
There's a lot of negligence going on inside corporate networks in regards to information security and one of the justifications I often hear is that they can't justify increased spending (or spending any money whatsoever) on IT security when the costs of an attack are unknown. If we apply significant punitive damages then the costs would be much easier to calculate and justify.