Schrödinger’s Hacking Law And Cyber Burnout: Capacity Building in U.S. Cybersecurity
In 2021, more than 2.7 million jobs in cybersecurity were unfilled. The dearth of cybersecurity experts serving anywhere in government and private industry has been described as a national security threat and an imperative. There are two reasons for this severe shortage of people in cybersecurity: bad law, and missing mental health support.
First, the bad law–which makes it arguably illegal to learn to be a computer security expert–has a villain’s backstory. In 1986, thanks to policymakers who were overly terrified by a 1983 fictional movie starring Matthew Broderick called Wargames (to be fair, this movie along with 1992’s Sneakers and 1995’s Hackers is beloved among the cybersecurity community), the United States got stuck with a truly terrible law called the Computer Fraud and Abuse Act (CFAA). And every day since, every person who’s been recruited to serve as a cyber warrior by the U.S. government has no idea whether they are a de facto multiple felon. There’s no real way to determine whether a CFAA violation has or will actually happen if you’re practicing on almost any computer using almost any technology, because interpretations of that law are up to the individual understanding of any local prosecutor, and local criminal prosecutors do not, in my sadly-more-than-typical involvement in CFAA prosecutions, have a great deal of understanding of the finer points of computer network access.
More on:
This lack of prosecutorial technical knowledge makes the CFAA uniquely problematic. Most prosecutors and juries can intuitively understand things like assault, drugs, and theft, but prosecutorial discretion in tech crimes, when those prosecutors do not understand the tech itself, means that many prosecutors rely on their emotions and politics to determine whether to prosecute someone under the CFAA. The CFAA, and the lack of technical knowledge of prosecutors combined with the range of discretion it offers them, makes learning offensive cyber techniques a kind of Schrödinger’s felony.
