Roger Duronio, 63, of Bogota, N.J., stood quietly and didn't react as Judge Joseph Greenaway Jr. handed down the sentence. "This is a sophisticated crime," said the judge. "This wasn't an instance when an individual argues that 'I had a bad day and I made a mistake.' Its undoubtedly that Mr. Duronio, having felt wronged, came up with an elaborate, sophisticated scheme to take down a company." Judge Greeaway added that he was struck by Duronio's attempt to not only disrupt the company but to derive financial benefit from it.
Duronio was found guilty of computer sabotage and securities fraud for writing, planting, and disseminating malicious code -- a so-called logic bomb -- that took down up to 2,000 servers in both UBS PaineWebber's central data center in Weehawken, N.J., and in branch offices around the country. The attack left the financial giant's traders unable to make trades, the lifeblood of the company, for a day in some offices and for several weeks in others.
Executives at UBS, which was renamed UBS Wealth Management USA in 2003, never reported the cost of lost business, but did say the attack cost the company more than $3.1 million to get the system back up and running.
"If it doesn't send a message, people aren't listening," said Assistant U.S. Attorney V. Grady O'Malley, a prosecutor on the case. "If giving the maximum for this crime doesn't send a message to people with the ability to commit a crime and to the people who employ them, they're not paying attention. The potential for the impact of an insider is uncalculable."
In his first statement in open court, Duronio called himself a simple man who lead a simple, productive life. "In the Judeo-Christian way of looking at things the just thing to do would be to be merciful. I hope to have the opportunity to keep making contributions." UBS was hit on March 4, 2002, at 9:30 in the morning, just as the stock market opened for the day. Elvira Maria Rodriguez, an IT manager in charge of maintaining the stability of the servers in the branch offices, testified during the trial that she was working when the servers began to go down. She told the court that she heard her computer beep, saw the words "cannot find" on the screen, and then her system froze. Then she glanced at her phone, which generally might have two or three lights flashing, and saw that 60 calls had come in at once.
That happened when 17,000 brokers suddenly discovered they were unable to make trades.
Rodriguez also testified that UBS is still suffering damage four years after the attack. Some of the information on the approximately 2,000 Unix-based servers in the home office and the 370 branch offices that were hit by the malicious code was never fully restored.
"I don't believe we were ever back to that point," said Rodriguez during the trial. "We were always having issues with these large-scale servers [after the attack]. We never had the luxury to focus on completely going over all the servers. We just didn't have the time."
Duronio worked at UBS as a systems administrator until he quit a few weeks before the attack. Witnesses testified that he quit because he was angry he didn't receive as large an annual bonus as he expected. The government argued that Duronio wasn't just looking to cause trouble for UBS, he also was looking to cash in. Duronio built and planted the time bomb ahead of time and then bought stock options -- using money that he got cashing out his and his wife's $20,000 IRA -- that would only pay out if the company's stock took a dive within 11 days. By laying out a short expiration date -- 11 days instead of maybe a year or two -- the gain from any payout would be much greater.
Prosecutors argued that Duronio planned on making sure that that's exactly what would happen by crippling the company's network.
During the investigation, U.S. Secret Service agents found copies of the malicious code on two of Duronio's home computers and on a printout sitting on his bedroom dresser.
Keith Jones, the government's expert witness and a 10-year forensics professional, spent more than three years analyzing backup tapes, logs, and source code from UBS's network. Jones testified during the trial that he not only found the malicious code, but he also linked it directly back to Duronio's home computer.
The defense argued that the UBS network was riddled with security holes that would have allowed any number of people to masquerade as Duronio and move around the network unnoticed. They also argued that the evidence available -- in the form of backup tapes for the damaged servers -- was incomplete, leaving holes in the picture of what happened in the months before the security incident. The jury deliberated for 20 hours before delivering the verdict, which included an acquittal on two charges of mail fraud.
Duronio was ordered to make restitution, but it is unlikely that UBS will ever get the $3.1 million they paid out in cleanup costs. Duronio also was banned from working as a systems administrator, network administrator, or computer consultant. He will report to the prison system in about 45 days.