A federal prosecutor says the sentencing of a former IT systems administrator to eight years in prison for an insider attack should sound a warning to hiring managers that they need to be more vigilant about who they're putting in critical IT positions.
It also should sound a similar warning, added Assistant U.S. Attorney V. Grady O'Malley, to disgruntled IT workers that the government has the ability to trace their movements on a network and put them behind bars for launching an insider attack.
"Be vigilant," says O'Malley, who called the attack "an act of terrorism" against UBS PaineWebber. "When you're hiring people to do a sensitive job, like a systems administrator with root access, you've got to know who you're bringing on."
On Wednesday, a judge pointed to the "venality" of Roger Duronio's attack on the computer network at UBS, where he had worked as a systems administrator for three years. The March 4, 2002 attack brought down about 2,000 servers both in the company's data center, as well as in branch offices around the country. The financial giant reported that simply cleaning up the mess and getting back online cost UBS more than $3.1 million. The cost of lost business -- in an attack that had some of the company's 17,000 traders unable to make trades for a day and others unable to work for as much as two weeks -- has never been publicly reported.
Duronio was convicted this summer of computer sabotage and securities fraud.
In U.S. District Court in Newark, N.J., Judge Joseph Greenaway Jr. sentenced Duronio, 64, of Bogota, N.J., to the maximum sentence allowed by law in this case -- eight years and one month in prison -- for writing, planting, and triggering a logic bomb on the UBS network. There is no parole in the federal system. Until he enters prison, Duronio is under house arrest, and when he gets out he is banned from working as a network administrator, systems administrator or computer consultant for three years when he will be under supervision.
Duronio also was ordered to pay restitution of the $3.1 million. It's expected that he will have to make monthly payments when he is released from prison.
In a halting and tearful statement -- his only one in open court -- before the sentence was handed down, Duronio said he had led a simple, good and productive life. He added, "In the Judeo Christian way of looking at things the just thing to do would be to be merciful." He neither admitted to nor apologized for the crime.
During the sentencing hearing, O'Malley called Duronio's attack on UBS a "gutless act of violence," and added that he had attempted to "paralyze" and ruin the company, all because Duronio was angry he didn't receive $15,000 of his expected $50,000 bonus in the months after Sept. 11, when many financial companies were struggling.
"We're talking about $15,000 here. We're talking about a bonus," said O'Malley. "Somebody attempted to take down a company and thousands of jobs because he didn't get $15,000 in bonus. On March 4, that logic bomb hit like a tsunami, going across the country in a matter of seconds. He intended the whole company to go down and it did."
In an interview with InformationWeek, O'Malley said the case makes it clear that companies need to run background checks on people they're hiring for sensitive IT positions.
Duronio has a criminal record that includes charges of burglary and assault. A presentencing report from the Probation Office in U.S. District Court also lists charges against Duronio from the 1960s, 1970s, 1980s, and 1990s.
At InformationWeek's request, investigation firm Fairfax Group found most of the information in the probation report within four days, using only public records, and some within 24 hours.
A spokeswoman for UBS said that when Duronio was hired in 1999, the company only ran background checks on a select number of people. Duronio was not one of them. Today, UBS, which has been renamed UBS Wealth Management USA, reports that they now run checks on everyone.
"Look what a background investigation would have told them about Roger Duronio," says O'Malley. "They would have saved themselves a world of trouble and heartache. This guy had no qualms about taking down an international company. In terms of despicable and senseless acts, this crime ranks right up there with some of the worst I've seen."
O'Malley, however, says the lesson is not for hiring managers alone.
IT workers who might consider attacking their own network should be on notice. "If you want to find yourself standing in front of a federal judge pleading for leniency, that day will come," warns O'Malley. "When some IT guy, who has access and ability, feels the need to get back at someone for some real or perceived slight, he better be careful."
He adds that IT professionals might think they're more computer savvy than government agents and that they can sufficiently hide their trails.
"All these guys think they're smarter than everybody around them," he says. "But technology is becoming more sophisticated and with guys like Keith Jones [a forensic investigator and the government's expert witness in the case] out there to identify their finger prints figuratively, that's a real reason not to do it. We have the ability to get these facts and get them to a jury in a manner they'll understand. You will get caught."