[BreachExchange] Is US Computer Crime Justice Draconian?

Audrey McNeil audrey at riskbasedsecurity.com
Tue Feb 20 18:46:36 EST 2018


Is U.S. computer crime justice draconian?

That's one obvious question following Britain's high court ruling that
Lauri Love, a man who's suspected of stealing data 2012 and 2013 from
numerous U.S. government agencies, including the FBI, US Army, Department
of Defense, NASA and the Federal Reserve, would not be extradited to the
U.S., in part because of judges' poor view of the U.S. justice system (see
British Hacking Suspect Avoids Extradition).

The U.S. government sought Love's extradition, which he fought. And on Feb.
5, England's Court of Appeal ruled that 33-year-old Love would not be
extradited on two grounds. First, Britain's Crown Prosecution Service
declined to prosecute Love, but could still do so, and must review whether
it will. Second, the British court said the U.S. justice system could not
be trusted to treat Love humanely. The judges wrote that his incarceration
in the U.S. would be "oppressive by reason of his physical and mental
condition," which includes severe depression and Asperger Syndrome.

Love isn't the first British individual who's been accused of hacking the
U.S. government who U.K. ultimately chose to not extradite. In 2012, after
a decade-long case, the government rejected a U.S. extradition request for
Gary McKinnon, who said he'd been looking for evidence that the U.S.
government was covering up the existence of UFOs.

But terrorism analyst Michael S. Smith II, speaking with Britain's Channel
4 News, says that the U.K.'s failure to extradite computer criminals
"creates a dangerous precedent in terms of U.K. government signaling to a
range of illicit actors that it's going to limit our capabilities to pursue
justice, when these crimes occur."

"ATT Friends in UK: Earlier today, I did an interview with @Channel4News re
the implications of @LauriLove's extradition appeal. Put simply, the ruling
will negatively impact the US's abilities to deter foreign hackers from
targeting government systems and critical infrastructure."

— Michael S. Smith II (@MichaelSSmithII) February 5, 2018

But some legal experts have long questioned the supposed impact of U.S.
deterrence (see The Myth of Cybercrime Deterrence).

"The truth is that cybercrime occurs for a lot of different reasons, and is
very rarely deterred by the threat of punishing someone else," says Mark
Rasch, a Washington computer crime attorney who formerly worked at the
Justice Department.

As with murder, espionage or innumerable other crimes, "no one reads an
article about someone being prosecuted for cybercrime and says, 'You know,
I was planning on doing it, but now I won't'," he adds.

US Sentencing Guidelines

In Love's case, Rasch says it's important to clarify Love's assertion that
he faces probably 36 months in U.K. prison if convicted of hacking charges,
whereas he would have been locked up for 99 years if he'd been found guilty
in U.S. court, which Rasch says would have been the maximum time to be
served, based on charges filed against him. Instead, federal sentencing
guidelines would have applied.

But Rasch contends that U.S. sentencing guidelines can be draconian,
especially for computer crimes (see Young Hackers: Jail Time Appropriate?).

"They're inexact and they can be draconian, because they do look at things
like economic damage, economic loss and impact," he says. "They don't
necessarily have enough flexibility to deal with things like juvenile
pranks, and even things like what I would call criminal juvenile
experimentation - things that are clearly criminal, you don't want to
minimize their impact, you want to say they're clearly criminal, but
they're not the same thing as a criminal heist - a gang of organized
criminals trying to do something terrible."

A compounding problem, Rasch says, is the disconnect so many people -
especially younger individuals - feel when they're sitting at a keyboard.
"A lot of kids - and I'll say kids, anywhere from the age of 11 to the
early 20s who have not yet developed the type of socialization necessary to
not commit crimes, they're really not necessarily thinking about the impact
of what they're doing: I can't be committing a crime, I'm just typing,"
Rasch says.

"When I was 15, the worst I could do is burn the house down. Today's
15-year-olds could shut down the federal reserve," he adds.

Hacker Rehab Bootcamp

Some countries are taking more creative approaches to address criminal

The United Kingdom, for example, has successfully prosecuted many young
hackers. In the case of LulzSec, its youngest member, Mustafa Al-Bassam,
who was a 16-year old at the time of the group's summer of 2011 hacking
spree, pleaded guilty and received a 20-month suspended sentence and 500
hours of unpaid community work. He's now a PhD student in the Information
Security Group at University College London and a cybersecurity adviser to
London-based secure payment gateway provider Secure Trading.

"If the US's ability to deter foreign hackers is incompatible with other
countries' democratic laws, that's the US's problem. The US doesn't own the
world. There's absolutely no reason why Lauri can't be tried and prosecuted
in the UK, as I was in 2011. https://t.co/Fi9MuyTMll"

— Mustafa Al-Bassam (@musalbas) February 5, 2018

LulzSec member Jake Davis, who was 18 at the time of the attacks, pleaded
guilty to launching DDoS attacks, and received a sentence of 24 months in a
young offenders institution. He's now part of a security startup called
Skyscape and lectures on the dangers of criminal hacking.

Britain's National Crime Agency, the successor to the Serious Organized
Crime Agency that took down LulzSec, has begun testing hacker rehab
programs aimed at teenagers who have been caught launching online attacks,
in an attempt to entice them away from a life of crime.

Rasch says it's clear that no country has all of the answers when it comes
to computer crime and that the U.S. justice system would do well to study
what others are doing. "No country has a monopoly on justice in cybercrime
cases," he says.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180220/88fac4d0/attachment.html>

More information about the BreachExchange mailing list