They minds are somehow unable to comprehend that only the good actors will fold and only bad actors will be left.
Other examples are: Firearms possession, supply chain law regarding human rights and child labor.
And I do think that security research should have some regulation about it, but it should be more about responsible handling of the privileged access you gained, or a responsibility to disclose found vulnerabilities in private and/or to a government entity. You know, "If you have gained access to a system, and you saw a button <Turn off cooling pump 2> and you pressed it, you are on the hook for the damages". That is common practice with paid pentesters already.
But we're at a point where a court had do decide if discovering an endpoint on an API without authorization is a "circumvention of a security boundary" or not. Luckily, we now have a ruling that accessing API endpoints without authorization logic is no circumvention of a security boundary, due to a lack of a security boundary like authorization.
That's the level we are at. I don't want to know what happens if foreign nation state actors start acting on this seriously.
I once ran a vulnerability scan at an industrial company that completely disabled their employees ability to clock in and out. I didnt believe it had anything to do with my scanner at first, but it ran on a schedule and the scanners schedule matched their outages eaxctly.
Eventually it turned out the timecard system had these IOT badge readers with a poorly written tcp stack. It would ACK every SYN, and worse the half open connections never closed, so during a port scan every port was left open until it exhausted the memory on the little buggers.
My point is... you cant know in advance what damage you'll do with this sort of testing. That's kind of the entire reason we have to actually perform the real world tests instead of assuming or emulating them.
It's also the reason that real world scanning without authorization is probably already a crime in most jurisdictions, whether it's enforced or not.
It is a huge security risk to treat systems as ancient eggshells you must not touch ever. A certain amount of touching has to be reasonable, because that is what foreign actors will do if they need to cause trouble. Apparently you could cause this company major operational harm with a pi zero. Why is that protected by professional ruin and jail time?
This laws, while i wanne say have a good intention, just do the opposite...
I myself, residing in germany, developed a recon/vuln/scanning tool that im legally forbidden to publish cuz of the laws you just mentioned.
Tho i wanted to open source the tool (spend ~10 years developing it) and thats just not an option.
Don't wanne self advertise here , but for the sake of better understanding if you want to know the details you can read them here: https://blog.laughingman.dev/article/Ishikawa_10_years_of_bu...
And while URL obscurity alone is weak evidence of "special protection" of a resource, I'm sure some legal team would love to try to argue otherwise.