Why All The Cybersecurity Laws? Why Now?

Cyberlaw has become increasingly important since the advent of the internet. As Duggal (Duggal, 2016) aptly points out, at the beginning, the internet was like the Wild West–no laws, no limits, and no sheriff in town to keep bandits at bay. However, in the early days of internet-like entities in the 1960s and 1970s, there really wasn’t much interesting or valuable on the internet to steal. So it was like the wild west, but without trains to commandeer, stage coaches to hold up, or banks to rob. There were no laws, no law enforcement, but not much need for either.

Over the years, the proverbial trains, stage coaches, and banks arrived on the internet. As nefarious activities began to become a problem, governments tried to address the issues with legislation, but they were already lagging behind. There have been many attempts to create and enforce laws to govern activities that occur online or on a computer. In the fairly early days, the US passed The Computer Fraud and Abuse Act of 1986 (Hughes, 1986) and The Computer Security Act of 1987 (Glickman, 1988). Other countries followed suit with the UK passing The Computer Misuse Act of 1990 (Townsend, 2019) and India enacting The Information Technology Act of 2000 (Nagpal, 2007). As is true with all laws, these only applied to the countries in which they were passed. The result is a disparate smattering of laws across the globe, each one only governing a small geographic area while attempting to govern a global network.

By 2016, attackers were maturing. Nation states had begun to seriously employ hacking to further their political goals and intelligence objectives. Criminals were becoming more skilled and more organized. Governments and law enforcement agencies made some attempts to curb cybercrime by working with the governments of other countries. Many countries began engaging others in bilateral cyber-arrangements (Duggal, 2016)–kind of agreeing with each other, “I won’t hack you if you don’t hack me.” Other countries, though, decided not to participate in these types of agreements. Famously, Russia’s refusal to prosecute organized criminal groups that targeted citizens of western countries has led to an unprecedented explosion of cybercrime. Without fear of prosecution, criminal cyber-gangs were able to essentially operate as legal businesses in Russia which resulted in a streamlining and professionalization of their criminal activities.

Now, in 2024, the trend has continued. Threat actors are at the most mature and dangerous we’ve yet seen them, legal frameworks remain two steps behind, and the “west” remains pretty wild. However, progress is being made. Beyond writing legislation that creates consequences for those actively engaged in cyber crime, lawmakers have increasingly instated requirements for companies that store sensitive data. By legally requiring companies to follow certain cybersecurity practices, lawmakers aim to lower the criminals’ rates of success. At the end of 2023, for example, the Securities and Exchange Commission implemented a new rule that forces registrants to disclose serious cybersecurity incidents within 4 days (Zukis, 2024) (Zukis, 2024). Shafer and Vecci (Shafer & Vecci, 2023) tell an interesting story about a ransomware incident that highlights both the importance and a shortcoming of such a requirement. In the incident, a company was being extorted by a ransomware gang. The company failed to disclose the breach to the SEC. The gang, being aware of the SEC’s requirements, then threatened that they would report the company’s failure to disclose to the SEC. The company put itself in a terrible strategic position by not reporting the breach, but it’s also true that the SEC’s rule inadvertently supplied the ransomware gang with extra leverage.

Personally, I think that reporting rules are good. I think most compliance requirements are good. I think that most companies do far too little to protect themselves from cyberattacks, and compliance requirements can help motivate them to do more. Our lives are more online than ever before, companies store more of our personal information than ever before, and cybercrime continues to become more professional and profitable. These factors combine to mean that now is perhaps the most important moment in history for cyber law. That being said, it’s not all doom and gloom. For the past couple of years, the UN has been drafting and negotiating an international treaty on cybercrime (Wilkinson, 2023). With some luck maybe this treaty will help governments work together to reduce cybercrime rates in a concerted effort across the globe. Maybe. Until that far-off future comes, the internet will remain what it has been since the beginning: The Wild West.