http://www.denverpost.com/Stories/0,1413,36~33~1739529,00.html By Jennifer Beauprez Denver Post Business Writer November 03, 2003 As attacks on computers get more sophisticated, more dangerous and more costly, the bad guys responsible rarely do hard time. Most people convicted of unleashing malicious code or hacking into computers receive sentences of one to three years, or they get probation and a warning to stay away from computers. "It's frustrating," said Eric Smith, who chased down cybercriminals for three years as an investigator for the Air Force. "There were cases that lasted two to three years and nothing ever happened to these people," Smith said. "It seems like it's always probation. They always slap their wrists." New federal rules might change that. On Saturday, federal rules took effect that beef up penalties for computer crimes. A person who uses computers to cause death or bodily harm - by taking down a power grid or air traffic control towers, for instance - could get 20 years to life in prison, under a section of the 2002 Homeland Security Act. "These are for the cyberterrorist, not for the teen hackers," said Mark Allenbaugh, former staff attorney for the U.S. Sentencing Commission, which makes sentencing rules. What might make a bigger impact on cybercrime punishment, he said, is another law passed in April that may limit a judge's ability to "depart," or hand down sentences that are lower than federal guidelines. "It's going to be much harder for hackers to get less serious sentences," Allenbaugh said. "Probation may not be an option." For instance, Allenbaugh said he expects a harsher penalty for the author of one of the Blaster worms if he is convicted, instead of simply probation or a short jail sentence. Jeffrey Lee Parsons, 18, is accused of unleashing a version of the Blaster computer worm, which spread around the world in six minutes using network connections, slowed Internet activity dramatically and disrupted business for numerous companies. "Now, because of the amendment, he is going to get a rather significant additional bump, which probably will translate into an extra few years," Allenbaugh said. Many computer crime cases never even make it to a jury, Smith said. In some cases, foreign authorities won't extradite suspects and in others the technology is too complex for prosecutors win. "Prosecutors, they don't always understand the case and don't think they could convince a jury and judge it was a significant crime," Smith said. Smith said he thinks judges give more leniency to younger people with hopes they can put their computer skills and brains toward something good. "They think, well, it's some misguided kid," he said. "It doesn't always work. The kid thinks, 'Wow, I got off."' Since 2000, 11 people convicted of breaking into computers or unleashing malicious code got probation. Nineteen were sentenced to one to three years in prison. And just four were sentenced to more than four years in prison, according to the Department of Justice. Some of the ex-cons, such as notorious hacker Kevin Mitnick, became security consultants upon release or got jobs hacking into companies' computers and alerting them to vulnerabilities. "The fact that you can break the law and then capitalize on it - that's the norm, unfortunately, in the computer security field," said Drew Fahey, a computer security expert who works with Smith at E-Fense, an Alexandria, Va.-based computer security consulting firm with offices in Englewood. Meanwhile, consumers, businesses and government agencies are losing out. Identity theft - sometimes the result of personal information stolen from computer databases - is the nation's fastest growing crime. And corporations are spending billions of dollars fighting of a growing number of computer attacks. Each day, five new malicious code attacks are unleashed, according to the FBI. One market research firm, Computer Economics Inc., estimates that the recent SoBig virus cost businesses $1 billion. The firms estimates all viruses this year have cost companies $13 billion. As a result, the computer crime caseload at the FBI has grown significantly, said Ken McGuire, a computer crimes investigator for the FBI. "Over the past five years, we've gone from 10 to 20 complaints a month to 10 to 20 a week," he said. Yet not everyone believes stiffer prison sentences will ease cybercrime. "For every bad guy we get rid of, there will be more bad guys," said Rick Dakin, president of Coalfire Systems Inc., a Superior computer security consulting firm. Dakin said companies must be more diligent about protecting their systems, deploying network monitoring tools, regularly changing passwords and performing risk-assessment tests. A federal bill could force that to happen. The bill, introduced this summer by Sen. Dianne Feinstein, D-Calif., requires businesses or government agencies to notify individuals if a database has been broken into and personal data has been compromised, including Social Security numbers, driver's licenses and credit cards. A hearing on the legislation will be held Tuesday in a Senate judiciary subcommittee. Under the proposed federal law, the Federal Trade Commission could impose fines of up to $5,000 per violation or up to $25,000 per day while the violation persists. State attorneys general also may file suit to enforce the statute. A similar California law makes it a criminal offense to not disclose such security breaches. "Over the past year, there have been more cases in which hackers have broken into databases," said Scott Gerber, spokesman for Feinstein. "This is a fair and tough enforcement giving Americans more control and confidence about the safety of their personal information." If the law passes, businesses may be reluctant to tell anyone they've been hacked. Business executives don't want the bad press, which can affect their stock prices, their customers' trust or their ability to attract employees. Just one-third of companies hacked last year reported the attacks to law enforcement, according to a survey by the Computer Security Institute. "This law says 'you protect it or you tell us,"' said Dakin of Coalfire. "What a wicked responsibility. But I don't know another way you will force change without going that way." - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Nov 04 2003 - 04:58:30 PST