Hackers to Face Tougher Sentences

[InfoSec News <isn () c4i org>]

Forwarded from: security curmudgeon <jericho () attrition org>

By Brian Krebs
washingtonpost.com Staff Writer
October 2, 2003

Convicted hackers and virus writers soon will face significantly
harsher penalties under new guidelines that dictate how the government
punishes computer crimes.

Starting in November, federal judges will begin handing out the
expanded penalties, which were developed by the U.S. Sentencing
Commission. Congress ordered the changes last year, saying that
sentences for convicted computer criminals should reflect the
seriousness of their crimes.

"The increases in penalties are a reflection of the fact that these
offenses are not just fun and games, that there are real world
consequences for potentially devastating computer hacking and virus
cases," said John G. Malcolm, deputy assistant attorney general and
head of the U.S. Justice Department's computer crimes section. "Thus
far, the penalties have not been commensurate with the harm that these
hacking cases have caused to real victims."

There are multiple factors that a judge depends on to determine
whether to send someone to prison and for how long, but most maximum
prison sentences handed down for computer crime range from one year to
10 years. Hackers whose exploits result in injury or death -- if they
disable emergency response networks or destroy electronic medical
records, for example -- face 20 years to life in prison.

Hackers will face up to a 25 percent increase in their sentences if
they hijack e-mail accounts or steal personal data -- including
financial and medical records and digital photographs. Convicted virus
and worm authors face a 50 percent increase.

Sentences also will increase by 50 percent for hackers who share
stolen personal data with anyone. The sentences will double if the
information is posted on the Internet. More than half of the sentences
handed out under federal computer crime laws would be lengthened by
this change alone, according to a Sentencing Commission report
released in April.

Jail time also will double for hackers who break into government and
military computers or networks tied to the power grid or
telecommunications network.

Hackers who electronically break into bank accounts can be sentenced
based on how much money is in the account, even if they don't take any
of it. Under the new guidelines, however, judges can tack on a 50
percent increase to the sentence if the hacker did steal money.

Prosecutors traditionally had to show that computer criminals caused
at least $5,000 in actual losses to win a conviction. The new
guidelines let victims tally financial loss based on the costs of
restoring data, fixing security holes, conducting damage assessments
and lost revenue.

"Some computer crimes are more serious than others, and these new
guidelines reflect that critical infrastructures need to be protected
and that invasions of privacy need to be treated as seriously as
invasions of our pocketbooks," said Mark Rasch, former director of the
Justice Department's computer crimes division and chief security
counsel for Solutionary Inc., an Internet security company in Tysons
Corner, Va.

Kevin Mitnick, a well known former hacker who spent almost six years
in prison, said he doubts the increased penalties would deter hackers.

"The person who's carrying out the act doesn't think about the
consequences, and certainly doesn't think they're going to get
caught," Mitnick said. "I really can't see people researching what the
penalties are before they do something."

The new guidelines will not apply to sentences handed out or
prosecutions underway before Nov. 1. This includes the high-profile
case of Adrian Lamo, the 22-year-old computer hacker who stands
accused of infiltrating and damaging the New York Times Co.'s source
list and computer network.

In addition, the guidelines generally will not apply to juveniles, who
normally are charged in state courts. In one notable exception, the
government last week charged a North Carolina youth as an adult for
releasing a version of the Blaster worm.

Most computer criminals are well educated, have little or no criminal
history, commit their crimes on the job and often are seeking
financial gain, according to Sentencing Commission documents. Of the
116 federal computer crime convictions in 2001 and 2002, about half
involved disgruntled workers who used their knowledge to steal from or
to discredit their former employers.

Jennifer Granick, an attorney who represents one of those criminals,
said that they are unfairly singled out for tougher sentences than
other white-collar perpetrators.

"In most cases, the use of a computer is the trigger for prosecution
or for greater sentencing, because so many upward adjustments apply
once a computer is involved in the case," said Granick, director of
Stanford Law School's Center for Internet and Society.

Her client is Bret McDanel, a 30-year-old California man sentenced in
March to 16 months in prison for revealing sensitive security
information about his former employer's computer network. Federal
prosecutors said McDanel, who worked as a computer security staffer
for the now-defunct Tornado Development Inc., sent the information to
Tornado's 5,000 customers in September 2000, crashing the company's
server.

McDanel would have faced two years in jail under the new sentencing
guidelines, said Granick, who argued that it is difficult to place a
real dollar loss on computer crimes so judges typically impose harsher
sentences than necessary.

Granick also said prosecutors could manipulate the damage amount to
appear much larger than it really is, giving the government an
advantage in plea bargaining.

Malcolm, the Justice Department's computer crimes chief, said that the
department does not give prosecutors suggestions on determining damage
amounts, and that prosecutors pursue plea bargain negotiations on a
case-by-case basis.

Internet security expert Rasch said that the number of
computer-related prosecutions could rise as federal prosecutors try to
tie them into otherwise unrelated crimes. He said this is especially
possible in light of a recent memo from Attorney General John Ashcroft
urging prosecutors to seek more convictions and stronger sentences
based on the most serious charges they can find.

"We could soon end up seeing a greater number of ordinary crimes
prosecuted as computer crime in an effort to get more leverage for a
plea, just because somehow, somewhere there's a computer involved,"
Rasch said.

Malcolm said this is unlikely.

"In your run-of-the-mill cases where the computer is only a tangential
part of the crime, there are not going to be significant
enhancements," he said.

If there is an increase, he added, it is because "whether they're drug
dealers, embezzlers, hackers or software pirates... people who commit
crimes use computers more than they used to."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.