Taking a Hack at Evaluating Sentencing Guidelines

Hacking is a significant problem today, especially in light of the growth of technology and the increased integration of technology into our everyday lives.

Whether you agree with Rep. King or not, the threat to US national security is very real.  In November 2010, WikiLeaks published classified US State Department cables on its website.  Consequently, PayPal suspended WikiLeaks’ accounts so that WikiLeaks could no longer receive much needed donations from supporters.  In response, Anonymous attacked PayPal’s computer servers.  Then, in July 2011, a federal prosecutor in California responded by filing charges against several defendants for violating the Computer Fraud and Abuse Act.  Indictment.

Thus, it is important that the government establish sufficient sentencing guidelines to deter hackers.  The courts must avoid inappropriately light sentences by considering the physical harm to the victims, invasion of the victim’s privacy, and the impact on economic infrastructure and government functions. Downing, 924-25.

However, deterrence is difficult to achieve because (1) the victims are often not aware of the unauthorized access, (2) once detected hacking is not reported, (3) hacking is difficult to investigate, and (4) it very costly for the government to train and equip law enforcement to investigate hacking.  In analyzing deterrence from a psychological standpoint, Downing points out that cybercrimes provide the perpetrators a level anonymity and very little contact with the victim.  Most hackers are able to sit in the comfort of their home and wreak havoc on victims all over the world.  Since hackers are not committing these crimes in plain sight, Downing suggests that the government will only achieve deterrence through prosecution and harsh punishments.  Indeed, you will not find a hacker sitting in the public library announcing his every move.  Downing, 924-26.

In many cases, the goal of the hacker is to make the computer or the information unavailable to the owner.  For this reason, the courts must consider the costs incurred by the owner in restoring the computer to a usable state.  These costs often include the need of a computer security consultant and down time, which may result in lost profits.  Other times the information is simply copied, such as when a customer list is stolen.  While that list has significant value in the market, the owner of the list must establish its value through costly expert testimony.  Downing, 927-31.  AT&T experienced a similar problem when Moore, one of its employees, posted confidential information onto Fileape.com.  AT&T estimated that the information was worth $5,000.  After discovering the publication, a federal prosecutor in New Jersey charged Moore with violating Title 18, United States Code, Sections 1030(a)(2)(C), 1030(c)(2)(B)(iii), and 2.  Complaint.  As Downing points out, it seems that Congress has considered these situations because the Computer Fraud and Abuse Act defines loss as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information.”  18 U.S.C. § 1030(e)(11) (2011).  The problem though is that the definition might be too narrow since the definition does not include the market value of information, such as the value of customer lists.  Downing, 927-31.

Downing suggests that one flaw in the Computer Fraud and Abuse Act is that it makes it difficult for a prosecutor to prosecute small harms.  For example, in a case where a hacker has created a worm that caused a user’s computer to crash, the user must spend time cleaning their computer and restoring it to a normal state.  The problem for the prosecutor is that there is no real economic loss to the user.  At the sentencing phase, the prosecutor cannot call in thousands of victims to testify as to the worm’s effects on their computers.  However, the sum of all these small inconveniences is significant.  Downing states that the best solution would be to call in several witnesses and then let an expert testimony as to the total harm caused by the worm.  Downing, 934-35.

Hacking can be a very lucrative endeavor.  In 2000, Vasiliy Gorshkov, a Russian computer hacker, stole over 50,000 credit card numbers and was sentenced to three years in prison.  Another hacker infiltrated a hospital to obtain a country singer’s medical records in order to sell the records to a tabloid.  Downing, 936-37.

Yet, not all hackers commit cybercrimes for monetary gain.  Recently, a prosecutor indicted a group of people who developed a program that was designed to spy on others.  Purchasers of the product could use the program for all sorts of unscrupulous behaviors, such as monitoring their ex-lovers.  From a legal standpoint, it may be difficult for the courts to fully evaluate the costs incurred by the victim that were caused by the privacy invasion.  Still, the victim may suffer a significant privacy invasion.  A scorned lover may find compromising pictures and emails on their ex-lover’s computer and then may decide to post that information on the Internet.  Downing, 937-38.  Imagine the ex-lover’s employer’s or current lover’s reaction to such a publication.

Downing argues that sentencing guidelines for privacy invasion should be flexible to allow the courts to consider the unique harm to the individual or corporation.  Certainly, every individual has their own privacy preferences and the harm that one individual suffers for a privacy invasion may vary from case to case.  For example, the publication of a private phone number would not affect me in the same way it would affect a celebrity.  While an owner may not consider family photographs confidential, Downing states that the owner would feel differently if those photographs were in the hands of a pedophile.  Fortunately, for the most part, the current sentencing guidelines provide the courts with broad discretion to increase the penalty where the facts demonstrate a substantial privacy invasion.  Downing, 938-40.

Critical infrastructures, which include electricity distribution, banking, finance, telecommunications, emergency response, and the water supply, are also vulnerable to cybercrime.  In the past, hackers have accessed computers that control the flow of natural gas pipelines and Arizona’s Roosevelt Dam.  If the Roosevelt Dam hacker decided to release all of the water, the consequences would have been catastrophic.   The sentencing guidelines do provide for the courts to consider the significance of the harm to the infrastructure and to increase the penalty accordingly.  Overall, Downing believes that the current sentencing framework is very good.  Downing, 942-45.

As technology advances and crime evolves accordingly, the judiciary will find itself trying to fit new crimes into our traditional framework.  Prosecutors have the burden of advising the courts of the real harms caused by these crimes.  Downing suggests that the US Sentencing Commission could facilitate the deterrence of new cybercrimes by amending the guidelines as the technology advances.  Downing, 948.

Richard W. Downing
Thinking Through Sentencing in Computer Hacking Cases: Did the US Sentencing Commission get it Right? http://www.olemiss.edu/depts/ncjrl/pdf/Downing76.3.pdf
U.S. v. Christopher Wayne Cooper, et.  al  (Indictment) http://cryptome.org/0005/cooper/cooper-001.pdf
Computer Fraud and Abuse Act,  18 U.S. C. 1030
Advertisements

~ by joshufl on September 18, 2011.

10 Responses to “Taking a Hack at Evaluating Sentencing Guidelines”

  1. Great post! I would like to piggyback of my post last week regarding cybercrimes and actual harm. Based on some of the examples in this post, I would have to say that I disagree with Ms. Brenner’s position that in the absence of tangible harm, there can’t really be any crime committed/punished. Let’s create an instance where even one hundred small business owners are affected by a computer virus which takes just one hour to repair. They have not lost any data, customer information, business records, etc., but their computer systems have been down for only one hour. On an individual level, each business owner may have lost sales, the ability to work, etc., but on the aggregate, one hundred hours of business can be quite substantial. Like the post said, you could not call all of these people as witnesses, as this would have an objection raised regarding cumulative evidence, but a couple of people giving testimony, followed by an expert, would be extremely effective to demonstrate the harm.

    I also found the section regarding protecting “critical infrastructures” to be interesting. While I recognize that the Hoover Dam is much more important than Mom & Pop’s Hardware in the grand scheme of public safety, I think that to Mom and Pop, nothing is more important than their hypothetical store. I think the sentencing guidelines should take into consideration the significance of the harm in context, rather than on the whole. To continue the example, if a hacker wanted to target Mom and Pop’s computer system and destroy all of their records and data, that would leave them in ruins. I know this wouldn’t affect society as a whole, since we’re not talking about Bank of America (for example), but are their rights as small business owners any less important? Are crimes against them any less punishable? If only you could make the Golden Rule argument in court, Mom and Pop would win every time…

  2. First off, I wanted to clarify the difference between “communication” and “publishing”. I’m not really sure there is as distinct a difference as Justice Douglas made it seem. To me, I picture communication as a broad, overarching umbrella term encompassing a variety of means to spreading information (ie. communicating) like in-person conversation, calling someone on the phone, transmitting a news report, and publishing the material whether it be in a newspaper, online news article or website posting, or through a series of text messages between cellular users. Communication is not just the receipt of information between individuals, but rather encompasses the entirety of the sequence–both the input, delivery, and the noise and events in between. I must respectfully dissent from Justice Douglas’s decision that the Espionage Act does not encompass, nor govern, the Wikileaks scandal. However, that is not to say that i agree that Wikileaks should be held liable for the information they transmitted; I am simply exerting my belief that the Espionage Act does in fact govern the circumstances.

    The situation is a sticky one to navigate. The First Amendment is prided among Americans as allowing citizens the right to speech, publication, and communication unhindered by overbearing governmental taxation, restriction, and regulation. While there are some stipulations (ie. communications cannot incite violence), overall, Americans enjoy a broad freedom when it comes to communication mediums as well as what exactly is conveyed. But, even still, I have to take the position against Wikileaks. Even though Trever Timm’s article clearly explains that Wikileaks merely published past-dated documents with the intent of affecting the public opinion of the war, not aiding the enemy, and reported past events, not future plans of the Defense Department, I find it hard to imagine that the US Government didn’t withhold the information for some reason. In addition, the government oftentimes must conceal certain information from its citizens and, while I don’t always completely agree with the government’s chosen actions, I have to believe that during this time (in the short years following the 9/11 attacks) the government worked diligently to protect the American people, preserve the public sentiment, as well as prohibit governmental communications from being shared with the opposing side. Even something that we as everyday citizens don’t feel is beneficial to the opponent, the governemnt might realize the opposite. The government might have motive behind its censoring of certain materials.

    I’m not sure how I feel about designating Wikileaks as a foreign terrorist organization (FTO). I don’t know enough about the materials published and if they–despite what Trevor Timm writes–had some impact overseas. A part of Peter King’s commentary that I’m particularly unsettled about is his motivation behind suggesting such a label for Wikileaks (if no law broken, the government can cut off power supply). To me, this gives the impression that the Government is an all-powering being that has unlimited control over any situation and if one road fails, there is an alternative to equally resolve the problem. I understand that with new technology comes a greater and more time-efficient risk for criminal law violations in a virtual context, but without my knowledge, I am uncertain that Wikileaks’ actions account for terrorist activity. But to play devil’s advocate, the United States is often prided for its proactive behavior, no matter how stringent it may seem at first. So if this is what it takes to set strict precedent, rather than a lax loophole or exception, then it might be necessary to take such precautions. It’s always easier to be proactive then have to reactively respond to a devastating attack on our troops overseas or here in this country.

  3. Please IGNORE my first response from 9/19 at 11:11pm (immediately preceding this post). I accidentally posted my response to the blog entry “The Wikileaks Scandal: Is the hallmark of security maximum disclosure?” under this blog title. The following post IS my response to the blog titled: “Taking a Hack at Evaluating Sentencing Guidelines”.


    When I think of hacking, one of the first things that comes to mind is the movie “Live Free or Die Hard” (2007) with Bruce Willis. As silly as some of the acting might be, our government is faced with the looming threat of the movie’s underlying technological scare on a daily basis. The movie portrays how elite and sophisticated hackers have the potential to overcome governmental security measures to overtake the city’s critical infrastructures and systems, starting with cellular devices and technology. The hackers eventually overcome the traffic light systems, the efficiency of hospitals and emergency response teams suffer next, major airports and other transportation hubs cannot function without technology, then the stock market crashes. The hackers are out to attack the power plants dotting the eastern seaboard and take over using chemical warfare. Long story short, the hackers are out to not only disrupt the lives and infrastructure of the country and its citizens, but to instill fear and invoke chaos, a task easily accomplished when the city’s major and heavily-relied-upon infrastructures collapse. It turns out that one of the nation’s best hackers (who never intended to harm anyone with his skills) is targeted by the bad hackers and then eventually works to defeat them.

    So why did I bring the movie to your attention? To emphasize the threat that our nation faces daily. When our country’s technology skill and capacity increases overall, it’s safe to assume that hackers are also reaping the benefits of such technology advancements. For every smart governmental technology expert working diligently to keep the bad guys at bay, there is a hacker who has long since mastered those beginner skills and surpassed the intelligence of said governmental specialist. The hacker is simply keeping a low profile, whether it be because he simply has no desire to cause such catastrophic harm, or he is merely lying in wait, the more frightening thought.

    Putting the concept of hacking into perspective is important to understanding how best to penalize such action and the perpetrators behind this invasive and potentially destructive activity. And to determine whether having sentencing guidelines for punishment and statutes that define loss to the user really serve as a deterrent to a hacker. To be perfectly honest, I’m not sure that promote more strict sentencing guidelines and prosecution is doing all that much to deter potential and actively-working hackers. From what I learned during my undergraduate communications classes, hackers live for the thrill and excitement of exploring and concquering off-limits and protected material. I would equate hacking to a game. Hackers thrive off the excitement that comes from mastering a new skill or technique and being able to overcome and undermine a supposedly security-protected area or system. Fortunately, this is all hackers do–they live for the chase and nothing more. They’re not out to devastate our nation’s infrastructures of economic success. They merely want to test their hacking skills by breaching some of the most highly and advancely protected areas. But, on the other end, we face the hackers who care little about the chase and ultimately seek to devastate the user on the other end, whether it be an individual or our nation’s government. For either category of hacker, I don’t feel that increasingly harsh prosecution, sentencing guidelines, and punishment scares them. They do not live in fear of being caught (they rarely are) and if they are somehow caught, a hacker can rarely be linked to the extent of devastation that lay in his wake. I highly doubt the most skilled (and dangerous) hackers leave behind a cookie crumb trail of where they’ve been, to whom they’ve wrecked havoc, where they’re headed next, and how to link the hacker with his signature maneuver (worm, virus, etc.).

    Because of this, it doesn’t seem to me that deterrence can be accomplished by having harsh sentencing guidelines. But, what else can we do? Hope that active and skilled prosecution alongside strict sentencing guidlelines deters some hackers? Or maybe the better answer is that our focus should be on creating more skilled anti-hacking software as a deterrent. I don’t know how realistic ithis is, but it seems to me that if we focused our technology experts’ attention toward proactive deterrence, rather than reactive punishment, we might end up with better success in protecting individuals from hacking.

  4. First, I will generally talk about hacking. Second, I will comment on the technique of expanding the definitions of law governing Terrorism. Third, I will comment on the pop culture portrayal of hacker as “hacktivists.”

    Recently, we have been discussing real world criminal acts which have a virtual world component. Here, however, we are dealing more in the realm of “knowingly access[ing] a computer without access or exceeding authorized access” as described in the CFAA.
    I find it interesting that you mentioned Downing saying that CFAA makes it difficult to “prosecute small harms.” This may mean that the CFAA is presently insufficient to handle the types of hacking that has been occurring lately.

    Additionally, hacking seems to be territory where TOS/EULA’s lose their ability to govern cyberspace. It was interesting to read that PayPal ended its relationship with WikiLeaks citing a TOS violation. Didn’t WikiLeaks read the TOS before checking the box? In response to PayPals application of its TOS, “Anonymous” hackers engaged DDoS attacks designed to “temporarily cripple” PayPal’s website in a move dubbed “Operation Payback.” I find it unlikely that mandatory arbitration in the venue of PayPal’s choosing would settle the differences between PayPal and Anonymous.

    This is an area that requires something like the CFAA. It is not dealing with the user of content misusing the content provider’s service, it is dealing with the behind the scenes world of code which the general public never sees.

    Next, Rep. Peter King’s push to designate WikiLeaks as a foreign terrorist organization is misguided. Terrorism is generally the use of violent acts to create fear and as a means of coercion for political, religious, or ideological gain. Certainly, terrorists engage in hacking.
    My concern is that expanding definitions of laws to fit the moment can cause long term foundational problems in a legal system. The Civil Rights Act, for example, brought about necessary change. Expanding the definition of the Commerce Clause to justify the Civil Rights Act, however, opened the door for all kinds of broad interpretations of “interstate commerce.” Moreover, it wrapped social justice in a C.R.E.A.M. mentality (cash rules everything around me) which I think has been bad for social justice in general. For this reason, I am against expanding the definitions of law to prosecute WikiLeaks under Anti-Terrorism laws. It could be laying the foundation for the future expansion of terrorism laws over the public in general.

    Make no mistake, WikiLeaks is an extremely dangerous group who should be charged with criminal activity. I grow very concerned whenever a group feels so sure of the “rightness” of their cause that they become willing to violate laws, produce twisted propaganda, or act immoral. Julian Assange, the founder of WikiLeaks and defendant for sex crimes seems so sure that he is righteous and that the US is some kind of evil empire that he is willing to cross the line in pursuit of his goals.

    Finally, I want to mention “Hacktivism” and groups like Anonymous. It is timely to be discussing this group, since they are currently engaged in the “Occupy Wallstreet” movement.

    See:
    http://www.adbusters.org/

    Activists are trying to turn Wall Street into Tahir Square, starting last weekend. They plan to occupy Wall Street for 2 months, and Anonymous has issued support and posted videos about the movement.

    I love the exercise of the right to peaceful assembly, and agree that Wall Street probably deserves it, but it is also problematic. For example, I assume that when these activists say they want to bring Tahir Square to Wall Street, they don’t mean the mass mobs which sexually assaulted western reporters and the soldiers which conducted “virginity checks” on the protestors. It is very dangerous to sell the image of protest. I was raised on the glamorized depiction of 60’s protests, and became extremely disillusioned upon seeing the dirty side of the Anti-WTO/IMF movement that started in Seattle 1998.

  5. This week’s reading went hand and hand with my readings on data security for my corporate governance class. In that class, we discussed how hard deterrence actually is. Sure setting high punishments for perpetrators sounds good and is probably something we should do, but catching hackers and proving harm and guilt beyond a reasonable doubt is a whole different matter all together. Throw in the fact that many hackers feel they will never be caught and that hackers can come from any nation in the world, who may or not have extradition laws, and hacking is a serious problem with limited solutions.

    Being able to prove harm is crucial on the criminal side of litigation, but perhaps we can help deter by coming up with some vague civil penalties as well. Lawyers often act like watchdogs because that is how we make money. Moreover, lawyers are skilled in finding ways to quantify harm. Maybe if we can hit some of these hackers and hacker groups in the wallet, some deterrence may result. On the other side, if we hold companies and corporations more liable for violating a new duty of privacy protection, maybe they will do a better job of protection. If Sony was facing a grater chance of a high civil penalty, maybe they would have spent a little more money protecting the Playstation Network. Or, maybe they would have then just charged for access to their network, thus just passing the cost back down to the consumer.

    Overall, I think hacking and data security is an important issue and one that is only going to grow in importance. I also think it sounds like Downing has some great ideas on how to try and deter hacking. But how to stop it all together, I don’t know because as long as hackers can make money, or injure an enemy, or make a social point, they are going to do it because they are better at hacking then those trying to come up with the laws and software programs to stop them.

  6. When I was a twelve or thirteen years old, my hero was Kevin Mitnick. I believe he was on the FBI’s 10 Most Wanted List for a few years. He was perhaps, the most famous hacker of the 1990s. When he was sentenced to prison, he spent his first year in solitary confinement. The prosecutor in his case, had convinced the judge that Mr. Mitnick could whistle at the exact frequency of a modem, and if he had a telephone, Mitnick had the ability to call into Norad and launch a nuclear missile simply by whistling. To the best of my knowledge, he never made a penny by hacking, or phreaking (the phone analogy to hacking). Today, he is done with his prison sentence and is now hired by companies to hack their systems! He checks the companies security and tries to find a way in. What a fantastic world me live in! I think what attracted me to Mr. Mitnick was that he was a rebel, and smarter than everyone else. He didn’t do it for money. He did it to thumb his nose at the authorities. Sure, he caused a lot of headaches for a lot of people, but he helped a nerdy generation of lonely teenagers, feel that they could conquer the cyber world. Around the same time that Mr. Mitnick was pulling off his great stunts, someone wrote a short piece called the Hacker Manifesto. Parts of it were incorporated into the movie Hackers. I think it encapsulates the pioneering and naive feelings of early hackers well, and I’ll cut and paste the whole thing here:

    The Hacker Manifesto

    by
    +++The Mentor+++
    Written January 8, 1986

    Another one got caught today, it’s all over the papers. “Teenager Arrested in Computer Crime Scandal”, “Hacker Arrested after Bank Tampering”…

    Damn kids. They’re all alike.

    But did you, in your three-piece psychology and 1950’s technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him?

    I am a hacker, enter my world…

    Mine is a world that begins with school… I’m smarter than most of the other kids, this crap they teach us bores me…

    Damn underachiever. They’re all alike.

    I’m in junior high or high school. I’ve listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. “No, Ms. Smith, I didn’t show my work. I did it in my head…”

    Damn kid. Probably copied it. They’re all alike.

    I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it’s because I screwed it up. Not because it doesn’t like me… Or feels threatened by me.. Or thinks I’m a smart ass.. Or doesn’t like teaching and shouldn’t be here…

    Damn kid. All he does is play games. They’re all alike.

    And then it happened… a door opened to a world… rushing through the phone line like heroin through an addict’s veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought… a board is found. “This is it… this is where I belong…” I know everyone here… even if I’ve never met them, never talked to them, may never hear from them again… I know you all…

    Damn kid. Tying up the phone line again. They’re all alike…

    You bet your ass we’re all alike… we’ve been spoon-fed baby food at school when we hungered for steak… the bits of meat that you did let slip through were pre-chewed and tasteless. We’ve been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few are like drops of water in the desert.

    This is our world now… the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn’t run by profiteering gluttons, and you call us criminals. We explore… and you call us criminals. We seek after knowledge… and you call us criminals. We exist without skin color, without nationality, without religious bias… and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it’s for our own good, yet we’re the criminals.

    Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.

    I am a hacker, and this is my manifesto. You may stop this individual, but you can’t stop us all… after all, we’re all alike.

    ——————————————————————

    But today hacking is often driven by profit. Credit card theft, personal information theft, proprietary information theft, etc. This directly impacts us all, and perverts the original idea of the internet, and of those pioneering hackers of the 80s and 90s. People like Mr. Mitnick, will however, help to keep systems secure. There could be great infringements of privacy, but there is a bigger threat posed by hacking…

    Last year, someone launched the most sophisticated computer virus/worm ever discovered. It was designed to destroy centrifuges used in an Iranian nuclear processing facility by spinning up and slowing down the centrifuges repeatedly. Check out this great (though very long) article from Wired on it: http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1

    Is this the dawning of a new era? Will nations wage war in cyberspace? Ok, if you try hard enough, you may get my credit card information. Fine. But, please, keep your hands off the nuclear reactor…

  7. When considering punishment, we often forget about the theories that go behind these sentences. One of the main theories that should be considered, especially in the realm of technology is deterrence theory, whereby deviance is controlled through fear of punishment. Much of the war on cybercrime can be combatted through general and specific deterrence. Through general deterrence, members of society are deterred from engaging in illicit activity after they see the punishment others have received. On the other hand, specific deterrence is aimed at the individual. All of us have downloaded something at one point or another. As laws adapt to changes in technology they also become harsher and swifter in their enforcement. Downloading songs, copying movies, etc has been illegal since the beginning. However, how many of you have thought twice about downloading content once you read stories about the insanenly harsh fines people have had to pay when they got caught? It’s clear that hackers and cybercriminals are motivated by different reasons and have different objectives. Some are motivated by politics, others by “love.” Regardless of the harm, I feel like cybercrimes should have statutory minimum sentences that are harsh, regardless of their motives. Tracking hackers is extremely costly and when they get caught, they should be made an example to discrouage others from what they do. People maynot understand the seriousness of cybercrimes but it seems to fall on ignorance not being an excuse for committing a crime. It would be interesting for specialized E-Courts to be developed, just as there are drug courts and other specialized courts, to efficiently respond to crimes today and be consistent in their precedence.

  8. I think it is hard to overstate how reliant the world has become on technology. The internet, specifically, has absolutely revolutionized our lives and has proven to be quite beneficial. Among other things, it has refined communication, commerce, industry, the transmission of information, etc.

    However, the Internet has also created an unprecedented criminal phenomenon that, alarmingly, our legal system seems ill-equipped to combat, especially given that crimes related to hacking are growing in scope and destructiveness. The crimes committed by hackers are infinite: data crimes, unauthorized access crimes, financial crimes, threats to national security, virus dissemination, fraud/forgery, cyber warfare, threats to public infrastructure, etc.

    According to the blog, Downing argues that the current sentencing guidelines are sufficient and that the US Sentencing Commission can, in the future, facilitate the deterrence of new cybercrimes by amending the guidelines as technology advances.

    Unfortunately, I wholeheartedly disagree. In my opinion, hackers seem truly undeterred by the prospect of arrest or prosecution altogether, and it’s not hard to see why. First of all, these hackers are cloaked in anonymity and are highly sophisticated. They are incredibly skilled at masking any and all traces leading to them and thus detection of these individuals is incredibly difficult. And they know that. Second, these hackers can be anywhere in the world. That almost guarantees a migraine for any law enforcement official tasked with tracking the hacker down. And I don’t even want to think about the pain a prosecutor will feel when trying to navigate the jurisdictional morass that is likely to follow, if and when a non-US resident is tracked down. Further, if the country in which the hacker resides does not have any laws criminalizing the hacker’s behavior, it is unlikely that the hacker will be deterred by any laws enacted in another country.

    Third, hacking a computer/website/network seemingly would take a very long time. But that likely pales in comparison to how time consuming a hacking investigation would likely be. Additionally, any investigator on the case would necessarily need to be highly skilled in computers. Most state and local law enforcement officers are probably not well-trained enough to handle these drawn-out, complex investigations and thus it would likely be handled by federal agents. Hackers are probably very aware that such slow-moving investigations are very expensive as they bleed law enforcement’s funding and resources. Thus, the small-scale hacks are not really deemed to be “worthy” of law enforcement’s efforts.

    Fourth, I noticed in the supplemental articles that many of these hackers are teenagers. Prosecutors are surely going to run into issues of whether these teens can be prosecuted as adults, whether they truly understood the effects of their actions, etc.

    Finally, raising the sentencing penalties for hacking may result in the complete opposite effect — instead of deterring hacking, it may encourage hacking. Taking the psychology of the hacker culture into account seems to be vitally important. By nature, these hackers seem to be very defiant individuals. Breaking the rules and getting away with it seems to be the name of the game, so to speak. If the penalties are raised, then the stakes of the game are raised, and it could result in positively reinforcing hacking by creating more excitement in beating a new level in their game.

    Overall, I am honestly not sure how to even address this issue. The infinite scope and unwavering growth of hacking is very alarming, especially given that issues of national security are being raised. However, what I do know is that hackers do not seem to be deterred by our current legal framework as it appears to be weak regarding enforcement and prosecution.

  9. Stringent sentencing guidelines for hackers will not serve to deter hackers from engaging in criminal behavior. Hackers, even those apart of a group such as Anonymous of LulzSec, are anonymous. The government must first be able to identify a hacker in order to catch the hacker. This is not impossible, as illustrated by the article, FBI Arrests 16 in Anonymous Hacking
    http://news.cnet.com/8301-27080_3-20080746-245/fbi-arrests-16-in-anonymous-hacking-investigation/?tag=TOCmoreStories.0. However, arrests of hackers and hacker groups are the exception and not the rule. Hackers and their victims can be anywhere in the world and although the United States may place harsh punishment on those engaging in hacking, it is not a guarantee that another country will. There is also no guarantee that another country will allow the U.S. to extradite one of its citizens for hacking, especially for the hacking of an individual account. This raises another reason for the failure of strict punishment to deter hacking, the government will only prosecute a hacker if the prosecution is cost-effective.
    The hacking of individual accounts and small business are low priority for government prosecution because the harm to the individual or small business is relatively small in proportion to the cost of locating and prosecuting a hacker. These same victims are usually unaware of the hacking and by the time they feel the effects of invasion of their privacy or the loss of their property, the hacker is long gone. Individual hackers are typically judgment proof, imposing a fine is not a deterrence.

    Well, if stringent sentencing guidelines do not deter hackers, what will? I can only venture a few solutions? Run anti-hacking campaign that are similar to anti-smoking campaigns which make the lifestyle less glamorous – hacker in jail. The same campaign would also show the effects to the victims, whether the victims were the families of officers of the BART transportation system whose personal information was released to the public via Twitter, the CIA’s system and the threat to national security or an individual whose money was stolen out of their checking account. Another solution as previously suggested is to deplete the funds of those who engage in hacking for monetary gain.

    Of course, these are not perfect solutions, but they may serve as a better deterrence than strict sentencing.

  10. When it comes to hacking and sentencing. I think it is important to remember the spirit of hacking. It’s fun, It’s adventurous, and challenging. I have always been interested in hacking. And can understand why someone would decide to be a hacker. I unfortunately don’t have the type of brain required. We must focus on what punishment is doing. I agree with David that current punishments are not deterring hacking. I think some people are just hackers. They love it and the punishment really does not scare them. A hacker fears being caught but it is part of the game. I guess the best never would be caught would they.

    Hackers do cross boundaries that are contrary to society and our laws in the real world. The internet is a global community of interconnectedness. We need to police the internet, yet we must remember that we will never be able to police it completely. Hacking is a part of it. It allows for a different type of bad guy to be bad. Using just brain power and a terminal. No other assets required. This is the person we need to police, but how? How can we deter them? The best exercise to stop hacking would be preempt it. Many hackers end up switching sides. The best way to stop hacking would be to get the best and the brightest on the side of protecting rather than causing trouble.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: