Plus ça change, plus c’est la même chose (the more things change, the more they stay the same).^[84] In the area of information security, technology changes rapidly. As soon as the “good folks” catch up, the “bad folks” forge ahead with new attacks. In the area of information security, however, the saying holds true that the more things change, the more they stay the same.

Security professionals deal perennially with well-known and systemic problems, including poor user practices, buggy software, and a deliberate lack of leadership at the national level (at least in the United States, which has taken a market-driven approach up to this point). The pervasiveness of the problems, the regularity with which incidents containing common elements occur, and the depth of cultural influences that determine their continued existence suggest that legal intervention can make a difference. Indeed, information technology and law have already collided and will continue to collide at an increasing pace. In this chapter, I’ll offer some anecdotes and principles that will hopefully help you understand the positive potential of the interaction between law and information security.

Though you may be tempted to skip over this chapter because it is written by an attorney, consider the following: First, I was a crypto engineer in a previous life and therefore appreciate how technology and the law interrelate. Second, the intersection of ...