Euro Security Watch with Mathew J. Schwartz

Cybercrime , Legislation & Litigation , Standards, Regulations & Compliance

Is US Computer Crime Justice Draconian?

Prosecutors Cry 'Deterrence' to Justify Lengthy Sentences. Who's Deterred?
Is US Computer Crime Justice Draconian?
Lauri Love, pictured in 2017, faces U.S. hacking charges that carry a collective maximum prison sentence of 99 years. (Photo: Geni via GFDL.)

Is U.S. computer crime justice draconian?

See Also: Cybersecurity workforce development: A Public/Private Partnership that enhances cybersecurity while giving hands-on SOC experience to students

That's one obvious question following Britain's high court ruling that Lauri Love, a man who's suspected of stealing data 2012 and 2013 from numerous U.S. government agencies, including the FBI, US Army, Department of Defense, NASA and the Federal Reserve, would not be extradited to the U.S., in part because of judges' poor view of the U.S. justice system (see British Hacking Suspect Avoids Extradition).

The U.S. government sought Love's extradition, which he fought. And on Feb. 5, England's Court of Appeal ruled that 33-year-old Love would not be extradited on two grounds. First, Britain's Crown Prosecution Service declined to prosecute Love, but could still do so, and must review whether it will. Second, the British court said the U.S. justice system could not be trusted to treat Love humanely. The judges wrote that his incarceration in the U.S. would be "oppressive by reason of his physical and mental condition," which includes severe depression and Asperger Syndrome.

Lauri Love addresses the media after England's Court of Appeal on Feb. 5 upheld his U.S. extradition appeal. (Source: BBC)

Love isn't the first British individual who's been accused of hacking the U.S. government who U.K. ultimately chose to not extradite. In 2012, after a decade-long case, the government rejected a U.S. extradition request for Gary McKinnon, who said he'd been looking for evidence that the U.S. government was covering up the existence of UFOs.

But terrorism analyst Michael S. Smith II, speaking with Britain's Channel 4 News, says that the U.K.'s failure to extradite computer criminals "creates a dangerous precedent in terms of U.K. government signaling to a range of illicit actors that it's going to limit our capabilities to pursue justice, when these crimes occur."

But some legal experts have long questioned the supposed impact of U.S. deterrence (see The Myth of Cybercrime Deterrence).

"The truth is that cybercrime occurs for a lot of different reasons, and is very rarely deterred by the threat of punishing someone else," says Mark Rasch, a Washington computer crime attorney who formerly worked as a trial attorney for the Justice Department.

Cybercrime attorney Mark Rasch says deterrence doesn't work.

As with murder, espionage or innumerable other crimes, "no one reads an article about someone being prosecuted for cybercrime and says, 'You know, I was planning on doing it, but now I won't'," he adds.

US Sentencing Guidelines

In Love's case, Rasch says it's important to clarify Love's assertion that he faces probably 36 months in U.K. prison if convicted of hacking charges, whereas he would have been locked up for 99 years if he'd been found guilty in U.S. court, which Rasch says would have been the maximum time to be served, based on charges filed against him. Instead, federal sentencing guidelines would have applied.

But Rasch contends that U.S. sentencing guidelines can be draconian, especially for computer crimes (see Young Hackers: Jail Time Appropriate?).

"They're inexact and they can be draconian, because they do look at things like economic damage, economic loss and impact," he says. "They don't necessarily have enough flexibility to deal with things like juvenile pranks, and even things like what I would call criminal juvenile experimentation - things that are clearly criminal, you don't want to minimize their impact, you want to say they're clearly criminal, but they're not the same thing as a criminal heist - a gang of organized criminals trying to do something terrible."

A compounding problem, Rasch says, is the disconnect so many people - especially younger individuals - feel when they're sitting at a keyboard. "A lot of kids - and I'll say kids, anywhere from the age of 11 to the early 20s who have not yet developed the type of socialization necessary to not commit crimes, they're really not necessarily thinking about the impact of what they're doing: I can't be committing a crime, I'm just typing," Rasch says.

"When I was 15, the worst I could do is burn the house down. Today's 15-year-olds could shut down the federal reserve," he adds.

Hacker Rehab Bootcamp

Some countries are taking more creative approaches to address criminal hacking.

The United Kingdom, for example, has successfully prosecuted many young hackers. In the case of LulzSec, its youngest member, Mustafa Al-Bassam, who was a 16-year old at the time of the group's summer of 2011 hacking spree, pleaded guilty and received a 20-month suspended sentence and 500 hours of unpaid community work. He's now a PhD student in the Information Security Group at University College London and a cybersecurity adviser to London-based secure payment gateway provider Secure Trading.

LulzSec member Jake Davis, who was 18 at the time of the attacks, pleaded guilty to launching DDoS attacks, and received a sentence of 24 months in a young offenders institution. He's now part of a security startup called Skyscape and lectures on the dangers of criminal hacking.

Britain's National Crime Agency, the successor to the Serious Organized Crime Agency that took down LulzSec, has begun testing hacker rehab programs aimed at teenagers who have been caught launching online attacks, in an attempt to entice them away from a life of crime.

Former LulzSec hacker Ryan Ackroyd reflects on his experiences and describes how better educational opportunities could have prevented him from using his skills to commit online crimes. (Source: NCA)

Rasch says it's clear that no country has all of the answers when it comes to computer crime and that the U.S. justice system would do well to study what others are doing. "No country has a monopoly on justice in cybercrime cases," he says.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.