B
Bart Bailey
http://www.washingtonpost.com/ac2/wp-dyn/A35261-2003Oct2?language=printer
washingtonpost.com
Hackers to Face Tougher Sentences
By Brian Krebs
washingtonpost.com Staff Writer
Thursday, October 2, 2003; 4:24 PM
Convicted hackers and virus writers soon will face significantly harsher
penalties under new guidelines that dictate how the government punishes
computer crimes.
Starting in November, federal judges will begin handing out the expanded
penalties, which were developed by the U.S. Sentencing Commission.
Congress ordered the changes last year, saying that sentences for
convicted computer criminals should reflect the seriousness of their
crimes.
"The increases in penalties are a reflection of the fact that these
offenses are not just fun and games, that there are real world
consequences for potentially devastating computer hacking and virus
cases," said John G. Malcolm, deputy assistant attorney general and head
of the U.S. Justice Department's computer crimes section. "Thus far, the
penalties have not been commensurate with the harm that these hacking
cases have caused to real victims."
There are multiple factors that a judge depends on to determine whether
to send someone to prison and for how long, but most maximum prison
sentences handed down for computer crime range from one year to 10
years. Hackers whose exploits result in injury or death -- if they
disable emergency response networks or destroy electronic medical
records, for example - - face 20 years to life in prison.
Hackers will face up to a 25 percent increase in their sentences if they
hijack e-mail accounts or steal personal data -- including financial and
medical records and digital photographs. Convicted virus and worm
authors face a 50 percent increase.
Sentences also will increase by 50 percent for hackers who share stolen
personal data with anyone. The sentences will double if the information
is posted on the Internet. More than half of the sentences handed out
under federal computer crime laws would be lengthened by this change
alone, according to a Sentencing Commission report released in April.
Jail time also will double for hackers who break into government and
military computers or networks tied to the power grid or
telecommunications network.
Hackers who electronically break into bank accounts can be sentenced
based on how much money is in the account, even if they don't take any
of it. Under the new guidelines, however, judges can tack on a 50
percent increase to the sentence if the hacker did steal money.
Prosecutors traditionally had to show that computer criminals caused at
least $5,000 in actual losses to win a conviction. The new guidelines
let victims tally financial loss based on the costs of restoring data,
fixing security holes, conducting damage assessments and lost revenue.
"Some computer crimes are more serious than others, and these new
guidelines reflect that critical infrastructures need to be protected
and that invasions of privacy need to be treated as seriously as
invasions of our pocketbooks," said Mark Rasch, former director of the
Justice Department's computer crimes division and chief security counsel
for Solutionary Inc., an Internet security company in Tysons Corner, Va.
Kevin Mitnick, a well known former hacker who spent almost six years in
prison, said he doubts the increased penalties would deter hackers.
"The person who's carrying out the act doesn't think about the
consequences, and certainly doesn't think they're going to get caught,"
Mitnick said. "I really can't see people researching what the penalties
are before they do something."
The new guidelines will not apply to sentences handed out or
prosecutions underway before Nov. 1. This includes the high- profile
case of Adrian Lamo, the 22-year-old computer hacker who stands accused
of infiltrating and damaging the New York Times Co.'s source list and
computer network.
In addition, the guidelines generally will not apply to juveniles, who
normally are charged in state courts. In one notable exception, the
government last week charged a North Carolina youth as an adult for
releasing a version of the Blaster worm.
Most computer criminals are well educated, have little or no criminal
history, commit their crimes on the job and often are seeking financial
gain, according to Sentencing Commission documents. Of the 116 federal
computer crime convictions in 2001 and 2002, about half involved
disgruntled workers who used their knowledge to steal from or to
discredit their former employers.
Jennifer Granick, an attorney who represents one of those criminals,
said that they are unfairly singled out for tougher sentences than other
white-collar perpetrators.
"In most cases, the use of a computer is the trigger for prosecution or
for greater sentencing, because so many upward adjustments apply once a
computer is involved in the case," said Granick, director of Stanford
Law School's Center for Internet and Society.
Her client is Bret McDanel, a 30-year-old California man sentenced in
March to 16 months in prison for revealing sensitive security
information about his former employer's computer network. Federal
prosecutors said McDanel, who worked as a computer security staffer for
the now-defunct Tornado Development Inc., sent the information to
Tornado's 5,000 customers in September 2000, crashing the company's
server.
McDanel would have faced two years in jail under the new sentencing
guidelines, said Granick, who argued that it is difficult to place a
real dollar loss on computer crimes so judges typically impose harsher
sentences than necessary.
Granick also said prosecutors could manipulate the damage amount to
appear much larger than it really is, giving the government an advantage
in plea bargaining.
Malcolm, the Justice Department's computer crimes chief, said that the
department does not give prosecutors suggestions on determining damage
amounts, and that prosecutors pursue plea bargain negotiations on a
case-by-case basis.
Internet security expert Rasch said that the number of computer-related
prosecutions could rise as federal prosecutors try to tie them into
otherwise unrelated crimes. He said this is especially possible in light
of a recent memo from Attorney General John Ashcroft urging prosecutors
to seek more convictions and stronger sentences based on the most
serious charges they can find.
"We could soon end up seeing a greater number of ordinary crimes
prosecuted as computer crime in an effort to get more leverage for a
plea, just because somehow, somewhere there's a computer involved,"
Rasch said.
Malcolm said this is unlikely.
"In your run-of-the-mill cases where the computer is only a tangential
part of the crime, there are not going to be significant enhancements,"
he said.
If there is an increase, he added, it is because "whether they're drug
dealers, embezzlers, hackers or software pirates... people who commit
crimes use computers more than they used to."
© 2003 TechNews.com
washingtonpost.com
Hackers to Face Tougher Sentences
By Brian Krebs
washingtonpost.com Staff Writer
Thursday, October 2, 2003; 4:24 PM
Convicted hackers and virus writers soon will face significantly harsher
penalties under new guidelines that dictate how the government punishes
computer crimes.
Starting in November, federal judges will begin handing out the expanded
penalties, which were developed by the U.S. Sentencing Commission.
Congress ordered the changes last year, saying that sentences for
convicted computer criminals should reflect the seriousness of their
crimes.
"The increases in penalties are a reflection of the fact that these
offenses are not just fun and games, that there are real world
consequences for potentially devastating computer hacking and virus
cases," said John G. Malcolm, deputy assistant attorney general and head
of the U.S. Justice Department's computer crimes section. "Thus far, the
penalties have not been commensurate with the harm that these hacking
cases have caused to real victims."
There are multiple factors that a judge depends on to determine whether
to send someone to prison and for how long, but most maximum prison
sentences handed down for computer crime range from one year to 10
years. Hackers whose exploits result in injury or death -- if they
disable emergency response networks or destroy electronic medical
records, for example - - face 20 years to life in prison.
Hackers will face up to a 25 percent increase in their sentences if they
hijack e-mail accounts or steal personal data -- including financial and
medical records and digital photographs. Convicted virus and worm
authors face a 50 percent increase.
Sentences also will increase by 50 percent for hackers who share stolen
personal data with anyone. The sentences will double if the information
is posted on the Internet. More than half of the sentences handed out
under federal computer crime laws would be lengthened by this change
alone, according to a Sentencing Commission report released in April.
Jail time also will double for hackers who break into government and
military computers or networks tied to the power grid or
telecommunications network.
Hackers who electronically break into bank accounts can be sentenced
based on how much money is in the account, even if they don't take any
of it. Under the new guidelines, however, judges can tack on a 50
percent increase to the sentence if the hacker did steal money.
Prosecutors traditionally had to show that computer criminals caused at
least $5,000 in actual losses to win a conviction. The new guidelines
let victims tally financial loss based on the costs of restoring data,
fixing security holes, conducting damage assessments and lost revenue.
"Some computer crimes are more serious than others, and these new
guidelines reflect that critical infrastructures need to be protected
and that invasions of privacy need to be treated as seriously as
invasions of our pocketbooks," said Mark Rasch, former director of the
Justice Department's computer crimes division and chief security counsel
for Solutionary Inc., an Internet security company in Tysons Corner, Va.
Kevin Mitnick, a well known former hacker who spent almost six years in
prison, said he doubts the increased penalties would deter hackers.
"The person who's carrying out the act doesn't think about the
consequences, and certainly doesn't think they're going to get caught,"
Mitnick said. "I really can't see people researching what the penalties
are before they do something."
The new guidelines will not apply to sentences handed out or
prosecutions underway before Nov. 1. This includes the high- profile
case of Adrian Lamo, the 22-year-old computer hacker who stands accused
of infiltrating and damaging the New York Times Co.'s source list and
computer network.
In addition, the guidelines generally will not apply to juveniles, who
normally are charged in state courts. In one notable exception, the
government last week charged a North Carolina youth as an adult for
releasing a version of the Blaster worm.
Most computer criminals are well educated, have little or no criminal
history, commit their crimes on the job and often are seeking financial
gain, according to Sentencing Commission documents. Of the 116 federal
computer crime convictions in 2001 and 2002, about half involved
disgruntled workers who used their knowledge to steal from or to
discredit their former employers.
Jennifer Granick, an attorney who represents one of those criminals,
said that they are unfairly singled out for tougher sentences than other
white-collar perpetrators.
"In most cases, the use of a computer is the trigger for prosecution or
for greater sentencing, because so many upward adjustments apply once a
computer is involved in the case," said Granick, director of Stanford
Law School's Center for Internet and Society.
Her client is Bret McDanel, a 30-year-old California man sentenced in
March to 16 months in prison for revealing sensitive security
information about his former employer's computer network. Federal
prosecutors said McDanel, who worked as a computer security staffer for
the now-defunct Tornado Development Inc., sent the information to
Tornado's 5,000 customers in September 2000, crashing the company's
server.
McDanel would have faced two years in jail under the new sentencing
guidelines, said Granick, who argued that it is difficult to place a
real dollar loss on computer crimes so judges typically impose harsher
sentences than necessary.
Granick also said prosecutors could manipulate the damage amount to
appear much larger than it really is, giving the government an advantage
in plea bargaining.
Malcolm, the Justice Department's computer crimes chief, said that the
department does not give prosecutors suggestions on determining damage
amounts, and that prosecutors pursue plea bargain negotiations on a
case-by-case basis.
Internet security expert Rasch said that the number of computer-related
prosecutions could rise as federal prosecutors try to tie them into
otherwise unrelated crimes. He said this is especially possible in light
of a recent memo from Attorney General John Ashcroft urging prosecutors
to seek more convictions and stronger sentences based on the most
serious charges they can find.
"We could soon end up seeing a greater number of ordinary crimes
prosecuted as computer crime in an effort to get more leverage for a
plea, just because somehow, somewhere there's a computer involved,"
Rasch said.
Malcolm said this is unlikely.
"In your run-of-the-mill cases where the computer is only a tangential
part of the crime, there are not going to be significant enhancements,"
he said.
If there is an increase, he added, it is because "whether they're drug
dealers, embezzlers, hackers or software pirates... people who commit
crimes use computers more than they used to."
© 2003 TechNews.com