00:05 AM
Connect Directly

Judges And Prosecutors Throw The Book At Hackers

Those accused of cybercrimes are facing serious charges. That could spell the end of the white-hat hacker.

Eric McCarty goes before a federal judge this month on charges he damaged the University of Southern California's online application system. McCarty, 25, says he was just trying to highlight the Web site's security vulnerabilities.

A not-guilty plea just might fly with a jury, since it doesn't appear McCarty did anything with the data he stole. But as data theft and other cybercrimes wreak damages nationwide, the "white-hat hacker" defense won't win him much sympathy. Meanwhile, prosecutors and judges are treating these cases much more seriously.

Downloadable PDF

Case in point: U.S. prosecutors last week secured the extradition of Gary McKinnon, an unemployed U.K. systems administrator charged with breaking into and attempting to damage 92 computer systems belonging to the U.S. Army, Navy, Air Force, Defense Department, and NASA. McKinnon is accused of causing $700,000 in damages between February 2001 and March 2002 in what prosecutors call the largest-ever known crime involving U.S. military computers. While awaiting extradition, McKinnon became a U.K. media celebrity, railing against the state of computer security and rallying support against his extradition. Once on trial in the United States, however, McKinnon could face up to 70 years in prison and fines of up to $1.75 million.

Jeanson James Ancheta will be behind bars for 57 months

Jeanson James Ancheta will be behind bars for 57 months
The tough stance comes as computer crimes become more malicious, carried out for profit and destruction. Jeanson James Ancheta, 20, was sentenced last week to 57 months in prison for hijacking more than 400,000 PCs over the Internet, using them to build a botnet, then renting out the system to spyware distributors, hackers, and spammers. U.S. District Attorney Debra Wong Yang's office says it's the longest sentence ever for someone convicted of spreading a computer virus. U.S. District Judge Gary Klausner ordered Ancheta to give up $60,000 in cash, a late-model BMW, and computer equipment he bought with proceeds from the scheme.

Safety is another reason courts are getting tough on cybercrime, as we realize how dependent society is on computer networks. On May 4, 20-year-old Christopher Maxwell pleaded guilty in U.S. District Court in Seattle to computer fraud for operating a botnet that disrupted critical care systems used by Seattle's Northwest Hospital in January 2005. Maxwell's crime was particularly odious because the attack disrupted operating room doors, physicians' pagers, and computers in the intensive care unit. He faces up to 10 years in prison and a $250,000 fine.

There's a get-tough response from Congress, too. Last week, six U.S. representatives, including House Judiciary Committee Chairman James Sensenbrenner, R-Wis., proposed the Cyber-Security Enhancement and Consumer Data Protection Act, aimed at updating criminal statutes to keep pace with cybercrooks' methodologies. The bill has three goals, says Rep. Howard Coble, R-N.C., who chairs the Subcommittee on Crime, Terrorism, and Homeland Security: a stronger deterrent, including heading off the development of new criminal techniques; better protection of personally identifiable data; and adequate resources for the Justice Department and other agencies to investigate and prosecute lawbreakers.

The bill would prohibit the use of botnets--zombie computers that, through use of code sneaked onto them, can be controlled for phishing, spam, and denial-of-service attacks. It would raise the maximum penalty for fraud and other computer crimes from 10 years to 30. It also calls for the Secret Service, Justice Department, and FBI to each get $10 million a year in funding through 2011 to fight computer crimes. And it would require companies, in the case of a major security breach involving data on 10,000 people or more, to notify the Secret Service or FBI within two weeks and give the feds power to decide if notification required under state laws would hurt an investigation.

Cybersecurity laws typically have been created and enforced first at the federal level; state and local police often don't have enough computer forensic resources to investigate cybercrimes, Laura Parsky, the Justice Department's deputy assistant attorney general, told the House subcommittee last week. "Although law enforcement has made inroads into addressing [the cybercrime] problem, it appears to be getting worse," Parsky said.

Last year, 95% of companies experienced more than 10 Web site attacks, involving viruses, unauthorized access, or theft of proprietary information, according to a survey of 700 computer security practitioners by the FBI and the Computer Security Institute. In 2004, just 5% experienced that level of attacks.

1 of 2
Comment  | 
Print  | 
More Insights
IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.