Someone accused of "hacking" (Ransomware, spam, stolen credit cards, etc) may be brought to court to explain themselves, bring in (or implicate) their clients, present evidence, be judged, etc. That is the best process we have for dealing with crime and is why comparing hacking to germs is sidestepping an important part of the discussion.
Edit: To answer your actual question, I would say a more apt comparison would be to basic breaking & entering robbery. In the physical world it doesn't make sense for every building to have 2ft thick concrete walls, blast doors, iron bars, and complex locks that can defeat the most advanced techniques for breaking & entering because most robbers will not have access to those techniques and the ones that do will either be interested in other targets or deterred by the systems in place that prevent them from bringing these techniques to bear against some random gas station cash register. The problem, as I see it, described with this analogy is that the robbers (or "hackers" here) are empowered to be much less discriminating regarding their targets. To stay within this analogy, on a technical level the tools one would use for stealing from a bank vault are used just as easily to steal from a gas station cash register.
> Someone accused of "hacking" (Ransomware, spam, stolen credit cards, etc) may be brought to court to explain themselves, bring in (or implicate) their clients, present evidence, be judged, etc. That is the best process we have for dealing with crime and is why comparing hacking to germs is sidestepping an important part of the discussion.
Agree with this, we should definitely prosecute crime where possible.
Unfortunately it seems to me that a lot of cybercrime is either 1) state sponsored, or 2) state sanctioned (and in either case originating in jurisdictions far from our reach), and there's often no way to bring them to court. Perhaps we could argue for threatening war against China/Russia over failure to prosecute hacking, but that doesn't seem very palatable to me (and of course, with the work the NSA does, we should be careful about holding others to standards we wouldn't want ourselves to be held to; that's probably its own conversation).
I was not really considering how we should treat the criminals, and was trying to make a case for something of a middle road on how we should think about the blameworthiness of companies that are victims of hacking. On one hand, just blaming the companies doesn't seem reasonable, but on the other, saying it's the government's responsibility to prosecute these criminals while giving the companies a pass on liabilities is a sub-optimal position as well, especially in a market economy where price signals are the default way of coordinating. (From my perspective it seems that currently under the law, we're much closer to the latter case, where companies get hacked and suffer very little liability in consequence, e.g. Equifax, Yahoo, etc.)
Recasting what I was trying to get at in your preferred crime/real-world frame, I think that most companies are doing something like being a bank, but keeping cash in the front-of-house instead of in a vault, or leaving the back door open, and then making the customer liable for the loss when they get robbed. I think most companies won't take security seriously unless there's an actual financial penalty for failing to do so. But some companies are getting popped by nation-states with huge engineering resource; in those cases I don't think it's necessarily reasonable to punish companies IF they were doing a good job. (I.e. if they did have a vault, and someone came in with a tank and leveled the building).
At the same time, I also think that it's the government's job (carrying on the analogy) to 1) train banks on appropriate security measures, 2) invest in new vault technology, and 3) try to capture/reduce the bank robber bandits. But where this analogy breaks down is that these days we're extremely good at catching bank robbers, while it's unclear whether there's a mechanism by which we could arrest most hackers, and that's why I'm pushing for a solution which to some extent deals with the world as it is rather than solving the problem at its source as we would advocate for with most localized crime.
