[ISN] Hackers to Face Tougher Sentences

From: InfoSec News (isn@private)
Date: Thu Oct 02 2003 - 22:39:05 PDT

  • Next message: InfoSec News: "[ISN] Suit Holds Microsoft Responsible for Worm Holes"

    Forwarded from: security curmudgeon <jericho@private>
    
    By Brian Krebs
    washingtonpost.com Staff Writer
    October 2, 2003
    
    Convicted hackers and virus writers soon will face significantly
    harsher penalties under new guidelines that dictate how the government
    punishes computer crimes.
    
    Starting in November, federal judges will begin handing out the
    expanded penalties, which were developed by the U.S. Sentencing
    Commission. Congress ordered the changes last year, saying that
    sentences for convicted computer criminals should reflect the
    seriousness of their crimes.
    
    "The increases in penalties are a reflection of the fact that these
    offenses are not just fun and games, that there are real world
    consequences for potentially devastating computer hacking and virus
    cases," said John G. Malcolm, deputy assistant attorney general and
    head of the U.S. Justice Department's computer crimes section. "Thus
    far, the penalties have not been commensurate with the harm that these
    hacking cases have caused to real victims."
    
    There are multiple factors that a judge depends on to determine
    whether to send someone to prison and for how long, but most maximum
    prison sentences handed down for computer crime range from one year to
    10 years. Hackers whose exploits result in injury or death -- if they
    disable emergency response networks or destroy electronic medical
    records, for example -- face 20 years to life in prison.
    
    Hackers will face up to a 25 percent increase in their sentences if
    they hijack e-mail accounts or steal personal data -- including
    financial and medical records and digital photographs. Convicted virus
    and worm authors face a 50 percent increase.
    
    Sentences also will increase by 50 percent for hackers who share
    stolen personal data with anyone. The sentences will double if the
    information is posted on the Internet. More than half of the sentences
    handed out under federal computer crime laws would be lengthened by
    this change alone, according to a Sentencing Commission report
    released in April.
    
    Jail time also will double for hackers who break into government and
    military computers or networks tied to the power grid or
    telecommunications network.
    
    Hackers who electronically break into bank accounts can be sentenced
    based on how much money is in the account, even if they don't take any
    of it. Under the new guidelines, however, judges can tack on a 50
    percent increase to the sentence if the hacker did steal money.
    
    Prosecutors traditionally had to show that computer criminals caused
    at least $5,000 in actual losses to win a conviction. The new
    guidelines let victims tally financial loss based on the costs of
    restoring data, fixing security holes, conducting damage assessments
    and lost revenue.
    
    "Some computer crimes are more serious than others, and these new
    guidelines reflect that critical infrastructures need to be protected
    and that invasions of privacy need to be treated as seriously as
    invasions of our pocketbooks," said Mark Rasch, former director of the
    Justice Department's computer crimes division and chief security
    counsel for Solutionary Inc., an Internet security company in Tysons
    Corner, Va.
    
    Kevin Mitnick, a well known former hacker who spent almost six years
    in prison, said he doubts the increased penalties would deter hackers.
    
    "The person who's carrying out the act doesn't think about the
    consequences, and certainly doesn't think they're going to get
    caught," Mitnick said. "I really can't see people researching what the
    penalties are before they do something."
    
    The new guidelines will not apply to sentences handed out or
    prosecutions underway before Nov. 1. This includes the high-profile
    case of Adrian Lamo, the 22-year-old computer hacker who stands
    accused of infiltrating and damaging the New York Times Co.'s source
    list and computer network.
    
    In addition, the guidelines generally will not apply to juveniles, who
    normally are charged in state courts. In one notable exception, the
    government last week charged a North Carolina youth as an adult for
    releasing a version of the Blaster worm.
    
    Most computer criminals are well educated, have little or no criminal
    history, commit their crimes on the job and often are seeking
    financial gain, according to Sentencing Commission documents. Of the
    116 federal computer crime convictions in 2001 and 2002, about half
    involved disgruntled workers who used their knowledge to steal from or
    to discredit their former employers.
    
    Jennifer Granick, an attorney who represents one of those criminals,
    said that they are unfairly singled out for tougher sentences than
    other white-collar perpetrators.
    
    "In most cases, the use of a computer is the trigger for prosecution
    or for greater sentencing, because so many upward adjustments apply
    once a computer is involved in the case," said Granick, director of
    Stanford Law School's Center for Internet and Society.
    
    Her client is Bret McDanel, a 30-year-old California man sentenced in
    March to 16 months in prison for revealing sensitive security
    information about his former employer's computer network. Federal
    prosecutors said McDanel, who worked as a computer security staffer
    for the now-defunct Tornado Development Inc., sent the information to
    Tornado's 5,000 customers in September 2000, crashing the company's
    server.
    
    McDanel would have faced two years in jail under the new sentencing
    guidelines, said Granick, who argued that it is difficult to place a
    real dollar loss on computer crimes so judges typically impose harsher
    sentences than necessary.
    
    Granick also said prosecutors could manipulate the damage amount to
    appear much larger than it really is, giving the government an
    advantage in plea bargaining.
    
    Malcolm, the Justice Department's computer crimes chief, said that the
    department does not give prosecutors suggestions on determining damage
    amounts, and that prosecutors pursue plea bargain negotiations on a
    case-by-case basis.
    
    Internet security expert Rasch said that the number of
    computer-related prosecutions could rise as federal prosecutors try to
    tie them into otherwise unrelated crimes. He said this is especially
    possible in light of a recent memo from Attorney General John Ashcroft
    urging prosecutors to seek more convictions and stronger sentences
    based on the most serious charges they can find.
    
    "We could soon end up seeing a greater number of ordinary crimes
    prosecuted as computer crime in an effort to get more leverage for a
    plea, just because somehow, somewhere there's a computer involved,"
    Rasch said.
    
    Malcolm said this is unlikely.
    
    "In your run-of-the-mill cases where the computer is only a tangential
    part of the crime, there are not going to be significant
    enhancements," he said.
    
    If there is an increase, he added, it is because "whether they're drug
    dealers, embezzlers, hackers or software pirates... people who commit
    crimes use computers more than they used to."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Oct 03 2003 - 01:20:25 PDT