Hackers might face stiffer sentences in U.S.

WASHINGTON Sat Jun 18, 2011 8:03am EDT

A journalist checks the U.S. Senate's website after it was attacked by internet hackers in Washington June 13, 2011. REUTERS/Stelios Varias

A journalist checks the U.S. Senate's website after it was attacked by internet hackers in Washington June 13, 2011.

Credit: Reuters/Stelios Varias

Related Topics

WASHINGTON (Reuters) - Even before a loosely organized group of hackers broke into the CIA's and Senate's public websites, the White House asked for stiffer sentences for breaking into government and private computer networks.

Last month the Obama administration pressed Congress to pass stronger cybersecurity measures, including a doubling of the maximum sentence for potentially endangering national security to 20 years in prison.

While it remains to be seen if the proposal will become law, the question of how to fight cyber-crime has risen to the fore in recent weeks with a spate of high-profile, and sometimes, sophisticated, attacks.

The computer break-ins have targeted multinational companies and institutions, including Sony Corp, Citigroup and the International Monetary Fund. Sony faces dozens of lawsuits related to the theft of consumer data from its Playstation network.

Also, in the latest flurry of hack-ins, the loosely organized group Lulz Security said it broke into the Senate's and CIA's public websites, as well as Sony and other targets.

"It's been a busy month," said James Lewis, of the Center for Strategic and International Studies think tank.

Lewis said "hacktivists," who often break into websites to make a political point or generate publicity, made "a big mistake" in going after the public websites of the FBI and the CIA. "That bumps it up immediately," he said. "That could make it a grudge match."

But tackling cybercrime -- as well as other kinds of cyberattacks -- has often been complicated by the difficulty of determining who is responsible.


"Smoking keyboards are hard to find," said Frank Cilluffo, director of George Washington University's Homeland Security Policy Institute.

"Anonymity of cyberspace, the lack of being able to do 100 percent attribution makes it difficult from a national security standpoint, obviously, if you don't know who is behind the clickety clack of the keyboard, or even if you do, you don't have 100 percent confidence," he said.

Under current law, for first-time offenders, the Computer Fraud and Abuse Act sets a maximum of 10-year prison sentences for breaking into a U.S. government computer if national security is at stake, a maximum of five years for breaking into a computer in order to steal, and one year for stealing a password to a financial institution or accessing a government computer, for example to deface it.

Under the White House proposal, the 10-year maximum sentence for potentially endangering national security would become a 20-year maximum, the five-year sentence for computer thefts up to $5,000 would become a 10-year sentence and the one year maximum for accessing a government computer -- either to deface it or download an unimportant file -- could become a three-year sentence.

At this point, none of the cybersecurity legislation introduced or circulating in Congress have included those tougher sentences.

And Stephen Ryan, a former prosecutor, said that if the goal is deterring cybercrime, lengthy sentences won't do the trick as well as actual arrests and prosecutions.

"There may be people who fully deserve a sentence that's more than five years. The key to deterrence is prosecution and conviction," said Ryan, now a partner at McDermott, Will & Emery.

Catching sophisticated hackers is notoriously difficult, which often means the sloppy and the stupid will end up being prosecuted -- as well as a few who just have bad luck.

"There's also the question of resources," said a cyber expert who asked not to be named "So when you're talking about nuisances -- like the Senate and CIA -- a lot of this comes across as childish vandalism. In those cases you have to question whether you devote the resources and prosecute that."

But the sentences can get longer if other crimes are involved. Alberto Gonzalez was sentenced to 20 years in prison in 2010 for hack attacks into major U.S. companies that led to the theft of more than 40 million credit and debit card numbers.

(Additional reporting by Jeremy Pelofsky. Editing by Warren Strobel and Xavier Briand)

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (3)
Blackorpheus wrote:
Capture a high-level hacker, offer him big $$$ to work for your corporation to capture at-large hackers. If he doesn’t buy that deal stick him in Gitmo

Jun 18, 2011 2:04pm EDT  --  Report as abuse
SanPa wrote:
The sentence should fit the injury. Theft can be sentenced per guidelines in place for burglary. Theft contributing to treasonous disclosures … prosecuted in accordance with provisions of the U.S. Constitution. Damaging hacks can be prosecuted per current guidelines for intentional destruction. And deaths resulting from computer hacking incidents can be prosecuted as first degree homocide with special circumstances. As for venue of incarceration, maximum security prisons in the sodomite section.

Jun 18, 2011 2:33pm EDT  --  Report as abuse
bryan.herbert wrote:
Here’s the thing. LulzSec has time and time again broken into whats supposed to be extremely secure servers hosting very sensitive data. If they don’t release the data it goes right back into the company’s hands and the breach gets covered up. Security companies and IT monkeys are getting paid big time $$$$ to make sure these servers are protected, but why are they getting broken into so easily? I have a feeling little to no protection is being offered at top dollar pricing.

Sony was running outdated Apache software without patches and NO FIREWALL. This is basic stuff that comes with any Windows home PC. So why is Sony charging customers so much money for online game play when theres nothing at all to their network? Why should ANY consumer including employees of the federal government trust any company that keeps their personal info especially credit card info on file? The only damage LulzSec has done is damage the reputation of the IT departments at PBS, Sony, Porn.com and a few other companies. The same can be said for the IT clowns that were hired to protect the websites of the U.S. Senate and the CIA. They failed miserably. If anything the government should be pissed at their own IT people, not LulzSec. LulzSec should have never been able to get in.

Jun 19, 2011 1:45am EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.