Forwarded from: security curmudgeon <jericho@private> By Brian Krebs washingtonpost.com Staff Writer October 2, 2003 Convicted hackers and virus writers soon will face significantly harsher penalties under new guidelines that dictate how the government punishes computer crimes. Starting in November, federal judges will begin handing out the expanded penalties, which were developed by the U.S. Sentencing Commission. Congress ordered the changes last year, saying that sentences for convicted computer criminals should reflect the seriousness of their crimes. "The increases in penalties are a reflection of the fact that these offenses are not just fun and games, that there are real world consequences for potentially devastating computer hacking and virus cases," said John G. Malcolm, deputy assistant attorney general and head of the U.S. Justice Department's computer crimes section. "Thus far, the penalties have not been commensurate with the harm that these hacking cases have caused to real victims." There are multiple factors that a judge depends on to determine whether to send someone to prison and for how long, but most maximum prison sentences handed down for computer crime range from one year to 10 years. Hackers whose exploits result in injury or death -- if they disable emergency response networks or destroy electronic medical records, for example -- face 20 years to life in prison. Hackers will face up to a 25 percent increase in their sentences if they hijack e-mail accounts or steal personal data -- including financial and medical records and digital photographs. Convicted virus and worm authors face a 50 percent increase. Sentences also will increase by 50 percent for hackers who share stolen personal data with anyone. The sentences will double if the information is posted on the Internet. More than half of the sentences handed out under federal computer crime laws would be lengthened by this change alone, according to a Sentencing Commission report released in April. Jail time also will double for hackers who break into government and military computers or networks tied to the power grid or telecommunications network. Hackers who electronically break into bank accounts can be sentenced based on how much money is in the account, even if they don't take any of it. Under the new guidelines, however, judges can tack on a 50 percent increase to the sentence if the hacker did steal money. Prosecutors traditionally had to show that computer criminals caused at least $5,000 in actual losses to win a conviction. The new guidelines let victims tally financial loss based on the costs of restoring data, fixing security holes, conducting damage assessments and lost revenue. "Some computer crimes are more serious than others, and these new guidelines reflect that critical infrastructures need to be protected and that invasions of privacy need to be treated as seriously as invasions of our pocketbooks," said Mark Rasch, former director of the Justice Department's computer crimes division and chief security counsel for Solutionary Inc., an Internet security company in Tysons Corner, Va. Kevin Mitnick, a well known former hacker who spent almost six years in prison, said he doubts the increased penalties would deter hackers. "The person who's carrying out the act doesn't think about the consequences, and certainly doesn't think they're going to get caught," Mitnick said. "I really can't see people researching what the penalties are before they do something." The new guidelines will not apply to sentences handed out or prosecutions underway before Nov. 1. This includes the high-profile case of Adrian Lamo, the 22-year-old computer hacker who stands accused of infiltrating and damaging the New York Times Co.'s source list and computer network. In addition, the guidelines generally will not apply to juveniles, who normally are charged in state courts. In one notable exception, the government last week charged a North Carolina youth as an adult for releasing a version of the Blaster worm. Most computer criminals are well educated, have little or no criminal history, commit their crimes on the job and often are seeking financial gain, according to Sentencing Commission documents. Of the 116 federal computer crime convictions in 2001 and 2002, about half involved disgruntled workers who used their knowledge to steal from or to discredit their former employers. Jennifer Granick, an attorney who represents one of those criminals, said that they are unfairly singled out for tougher sentences than other white-collar perpetrators. "In most cases, the use of a computer is the trigger for prosecution or for greater sentencing, because so many upward adjustments apply once a computer is involved in the case," said Granick, director of Stanford Law School's Center for Internet and Society. Her client is Bret McDanel, a 30-year-old California man sentenced in March to 16 months in prison for revealing sensitive security information about his former employer's computer network. Federal prosecutors said McDanel, who worked as a computer security staffer for the now-defunct Tornado Development Inc., sent the information to Tornado's 5,000 customers in September 2000, crashing the company's server. McDanel would have faced two years in jail under the new sentencing guidelines, said Granick, who argued that it is difficult to place a real dollar loss on computer crimes so judges typically impose harsher sentences than necessary. Granick also said prosecutors could manipulate the damage amount to appear much larger than it really is, giving the government an advantage in plea bargaining. Malcolm, the Justice Department's computer crimes chief, said that the department does not give prosecutors suggestions on determining damage amounts, and that prosecutors pursue plea bargain negotiations on a case-by-case basis. Internet security expert Rasch said that the number of computer-related prosecutions could rise as federal prosecutors try to tie them into otherwise unrelated crimes. He said this is especially possible in light of a recent memo from Attorney General John Ashcroft urging prosecutors to seek more convictions and stronger sentences based on the most serious charges they can find. "We could soon end up seeing a greater number of ordinary crimes prosecuted as computer crime in an effort to get more leverage for a plea, just because somehow, somewhere there's a computer involved," Rasch said. Malcolm said this is unlikely. "In your run-of-the-mill cases where the computer is only a tangential part of the crime, there are not going to be significant enhancements," he said. If there is an increase, he added, it is because "whether they're drug dealers, embezzlers, hackers or software pirates... people who commit crimes use computers more than they used to." - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Oct 03 2003 - 01:20:25 PDT