Articles like Immunizing the Internet, or: How I Learned To Stop Worrying and Love the Worm (.pdf) in the June 2006 (link will work shortly) Harvard Law Review make me embarrassed to be a Harvard graduate. This is the central argument:
[C]omputer networks, particularly the Internet, can be thought of as having immune systems that are strengthened by certain attacks. Exploitation of security holes prompts users and vendors to close those holes, vendors to emphasize security in system development, and users to adopt improved security practices. This constant strengthening of security reduces the likelihood of a catastrophic attack -- one that would threaten national or even global security. In essence, certain cybercrime can create more benefits than costs, and cybercrime policy should take this concept into account.
Apparently Harvard lawyers do not take economics classes. If they did (or paid attention) they would know of Frédéric Bastiat's parable of the broken window. The story demonstrates that crime, warfare, and other destructure behavior does not benefit society, since it shifts resources from productive behavior towards repair, recovery, and other defensive activities.
The HLR article continues:
Cybercrime is also different from other crime because it is amenable to innovative law enforcement approaches that exploit its unique underlying psychology. The objective of a bank robbery is to obtain money. Terrorists usually wish to maximize damage. Cybercrime, however, often provides no financial gain; many cyberattacks seem to originate from a desire for fame and attention or fun and challenge. Hackers often cause little to no permanent damage to the systems they successfully penetrate. This is true even of many high-profile cyber-attacks, in which damage initially appears to be widespread.
Wow, was this article published in 1996 or 2006? "No financial gain?" "Little to no permanent damage?" Welcome to the modern world, HLR. What would you consider permanent damage -- loss of life? Everything else can be repaired, even blasts by 2,000 pound bombs. Money spent on incident response and recovery, future lost revenue from decreased customer trust, insurance payments, spending on infrastructure -- all of this could be avoided in a world without "beneficial cybercrime."
Am I being too harsh? I don't think so. This is Harvard we're talking about, not Bunker Hill Community College.
Update: HLR should read Meet the Hackers.