, SecurityFocus 2001-07-30
Law enforcement's response to the 1999 Melissa virus represented the pinnacle of cybercrime fighting: brilliant sleuthing, a quick arrest and a full confession by the culprit. Two years later, David L. Smith's date with justice is far more elusive.
Nearly twenty months after entering guilty pleas in state and federal court the confessed author of the infamous Melissa computer virus remains free on bail with no firm sentencing date in sight, while the prosecutors who once ballyhooed Smith's arrest as a model of swift and certain information age justice have fallen mysteriously silent.
When Melissa struck on March 26th, 1999, it introduced a generation of netizens to the concept of a computer virus. The worm targeted Microsoft Word users, and spread by sending an infected email to the first 50 addresses in each victim's Microsoft Outlook address book. Though non-destructive by design, the virus propagated so quickly that it jammed corporate and governmental networks, forcing some large companies to temporarily sever their connections to the Internet. By some estimates, the virus caused millions of dollars in losses.
Within a week of the outbreak, New Jersey police and FBI agents tracked the virus through a hijacked AOL account to Smith, then 30. On December 9th of that that year the programmer plead guilty to computer crimes in state and federal court, and stipulated in a detailed plea agreement to having caused over $80,000,000 in damage. The losses, coupled with other stipulations in the plea agreement, carry a prison term of 46 to 57 months.
Then-U.S. Attorney General Janet Reno lent a quote to the press release; Smith remained free on $100,000 bail.
There, the flurry of activity stopped. Smith's February 18th, 2000 sentencing date was postponed, then, as the new date neared, was postponed again. In all, Smith's sentencing has slipped five times. If he were to be sentenced today, the elapsed time between his adjudication and sentencing would come in at five times the 125 day federal average. The state case -- subordinate to the federal sentence -- remains in limbo.
The New Jersey U.S. Attorney's office is mum on the reason for the delays, and Smith's lawyer, Edward F. Borden, didn't return repeated phone calls about the sentencing over the past six months. Smith himself, reached by telephone last May, declined comment.
More mysteriously, court records reflect no filings by either Smith's defense attorney or federal prosecutors relating to his sentencing and the postponements. The only visible additions to Smith's file since his 1999 guilty plea are three court orders granting Smith permission to leave New Jersey, once to travel to Brunswick, Georgia on business, twice to visit friends on the Florida Keys.
Informed speculation on Smith's elusive date with the judicial gavel tends to follow two lines of thought.
First, legal experts say, prosecutors and Smith's lawyer may have privately reopened negotiations over the amount of loss caused by Melissa's rampage. Smith's plea agreement leaves him the option of arguing in court that he should be sentenced below federal guidelines, because he didn't intend to cause financial losses. Additionally, while Smith admitted to causing over $80,000,000 in losses, the court is not bound by that admission, and if a pre-sentence investigation by the U.S. Probation Department finds that Smith caused less damage, the judge would likely hand down a lower sentence.
"It's unusual that it would take this long, but the sentencing details can be maddeningly confusing in this kind of case," says Mark Rasch, a former Assistant U.S. Attorney who handled the only prior federal computer virus prosecution: the case against the 1988 Internet worm author Robert T. Morris.
"We had exactly the same kind of problem in the Morris case," says Rasch, now vice president for cyberlaw at Predictive Systems Inc. "Morris caused $200,000 in damage, but intended to cause no damage. How do we treat him?"
The second possibility, and one which better accounts for the silence now surrounding the case, is that Smith found a way out of his prison fate: cooperation on another, unrelated investigation.
"Parties are filing things under seal, and that typical means somebody is cooperating with the prosecutor," says Matthew Yarbrough, also a former federal computer crime prosecutor. "The government doesn't want to put him in jail before his cooperation is finished."
Yarbrough, now an attorney with Fish & Richardson, recalls one white collar crime case he prosecuted in which the defendant remained free and awaiting sentencing for two years, while working undercover for law enforcement in exchange for special consideration. "We carried that thing on for two years, under seal," recalls Yarbrough. "We needed him out there, on the ground, helping us."
"That typically would account for a long delay between a plea and a sentencing," agrees Rasch. "Under the sentencing guidelines, the only way you can really reduce your sentence... is to cooperate against other people. In light of the fact that Smith stipulated to eighty million dollars in losses, it's likely that he would offer to cooperate. And if he offered to cooperate, the government may have found a way to use his cooperation."
It's not clear what Smith, a virus writer with no known involvement with other criminals, would have to offer prosecutors. But "there's a serious possibility that could be exactly what it is," says Yarbrough.
"I really couldn't comment on that either way," answers Mike Drewniak, spokesman for the U.S. Attorney's office in New Jersey
Since Melissa's romp over two years ago, the Internet has hosted hundreds of other viruses, from LoveLetter to Code Red and Sircam. Many of them have wrought more havoc then David L. Smith's creation. But the open-ended case against Smith remains the only U.S. prosecution of a web-era Internet virus writer.
Sentencing is currently scheduled for September 10th, 2001.