Digg this story   Add to del.icio.us  
Slot Machine Justice for Melissa Author
Mark Rasch, 2002-05-13

Under capricious computer crime sentencing rules, virus-writer David Smith managed to get the right prison term for all the wrong reasons.

David Smith, the author of the "Melissa" virus, was sentenced recently in federal and New Jersey state courts to serve what amounts to 20 months of incarceration in a federal penitentiary. The government estimated that the Melissa virus caused more than $80 million in "loss" to computer users. The question then is, like that with Goldilocks and the three bears, is the sentence too little, too much, or juuuuuuust right?

My answer is, that the sentence if probably just about right, but not for the reasons that it was actually imposed.

In 1988, Congress abolished federal parole and replaced the existing sentencing regime -- which gave wide latitude to federal judges -- with the United States Sentencing Commission. The Commission was tasked to determine the appropriate range of sentences for all federal crimes, from treason to trespass, as well as all of the potential factors a sentencing court might consider in imposing sentences.

These guidelines were supposed to assist the court in determining what sentence was to be imposed, impart some degree of certainty in the sentencing process, and permit uniformity in sentences. It was posited that, for criminal sentences to have a deterrent effect, the offender should know, before committing the offense, precisely what sentence they faced. If the sentence were sufficiently harsh, the offender theoretically would be deterred from committing the crime.

As a result, sentencing a convicted criminal, federal courts must look at sentencing tables and use factors that have been predetermined by the Commission.

Each factor is given a "point" weight, either positive or negative; the more "points" the higher the sentence. If the offender acted with forethought and more than minimal planning, the points go up. If they used a "special skill," again, more points. If this is a second offense, the sentencing tables enhance the sentence.

So instead of simply using common sense or instinct to impose sentence, federal judged are left with a "Chinese menu" of options -- one from column "A" and one from column "B." The U.S. no longer sentences people as people, or even offenses per se -- we sentence "factors." Indeed, certain factors that we would consider important in evaluating the character of a person, such as age, maturity, educational level, motive, lack of prior offenses, emotional or other duress, are generally either prohibited, or strongly discouraged as factors to be considered.

Sentencing of Hackers and Virus Writers
Unfortunately, the sentencing guidelines for computer crime have been linked to the so-called "fraud" tables. This is partly a consequence of the fact that the computer crime statute was originally called the "Computer Fraud and Abuse Act," and partly because, in 1984 when the statute was first passed, and in 1988 when the sentencing guidelines were initially promulgated, the most serious computer crime cases involved forms of wire fraud and theft.

The fraud tables focus primarily on the actual or intended loss created by the defendant's conduct -- the theory being, a crime which results in greater actual or potential loss is a more serious offense, and therefore deserving of a harsher sentence. If a defendant intends to cause a lot of damage, and does so, the defendant gets a harsh sentence. If the defendant intends to cause great damage, but fails to cause the damage, the same harsh sentence applies.

However, where the defendant does not intend to cause great damage, but inadvertently does so (e.g., because of a miscalculation of the growth rate of a virus, or its destructive effect, or where the "reaction" to the virus may be disproportionate to the actual harm), the guidelines make no provision to lower the sentence.

Moreover, the sentencing guidelines in effect for David Smith increased (or "enhanced" -- in the euphemistic parlance of sentencing law) Smith's sentence for "abuse of a special skill" and "more than minimal planning." For computer crimes, it makes little sense to include these "enhancements" as there are virtually no prosecutable computer crime cases that don't involve special skills and/or planning. (The planning enhancement is now subsumed in new fraud tables).

A Sense of Loss
There is no doubt that the Melissa virus was a serious and destructive bit of code. It caused significant disruption, some loss of data, and caused a large number of people to spend an inordinate amount of time in both defending and responding to the attack. In determining "loss" -- the most significant factor in sentencing -- the government and the courts look to things like the "value" of the property destroyed, the "cost" to the victim, and even the pro rata wages and other benefits of the persons responding to an incident.

As a result, in David Smith's case, the government estimated the "losses" at over $80 million (the fraud tables at the time "capped out" at $80 million, so it was unnecessary to give a precise figure.) As a result, applying the sentencing guidelines, Smith would have been sentenced as if he had "stolen" $80 million.

The government can also manipulate the sentence by determining how many "counts" in an indictment. Each count of computer crime carries a maximum statutory sentence of five years. Thus, if charged in only one count, even if the guidelines recommend a 20 year sentence, the maximum sentence that can be imposed is five years. Of course, the government can, in computer crime cases particularly, choose to charge the offense as a single count or as multiple counts -- and thereby increase the sentence from 5 to 20 years. So much for certainty and uniformity.

But did David Smith really "steal" $80 million?

Was the economy and the people affected by the Melissa virus really impacted to the tune of $80 million? Interestingly, no company affected amended their SEC filings to indicate significant losses from the virus. No company was reported to have filed "Melissa" insurance claims.

To a great extent, we measure the wrong things when measuring the significance of computer crime. Measuring "loss" may overstate the seriousness of an offense. In other cases, where data is deliberately altered or destroyed, the losses may be incalculable. Moreover, the sentencing guidelines don't take into account things like loss of confidence in computers or computer systems, or loss of privacy of data -- significant factors for computer related offenses. Thus, the guidelines both overstate and understate the significance of computer crimes, and are generally unrealistic.

Rewarding Stool Pigeons
That said, Smith's twenty month sentence seems to be appropriate, though it was reached for the wrong reasons. Twenty months is neither a draconian sentence on par with penalties for serious violent offenses, nor a mere "slap on the wrist." Having to spend nearly two years in jail should act as a deterrent to all but the most determined hackers and virus writers (assuming they are deterred by such things.)

It would be impossible to say that, had Smith received a sentence of 40 months, 60 months, 80 months, or 100 months, the affect on the hacker community would have been any different. Indeed, as the Kevin Mitnick case demonstrated, a harsher punishment may have resulted in a backlash of sympathy.

What is bothersome, however, is how the sentence was reached. Under the sentencing guidelines, a judge may generally not depart downward from the sentence recommended by the loss and sentencing tables. A significant exception exists if the defendant has provided substantial cooperation in the investigation and prosecution of others, and the government - and only the government -- files a motion to reduce the defendant's sentence on this ground. The goal of this provision is to encourage people to act as informants against others -- which furthers the goals of law enforcement.

It is not clear what cooperation Smith has provided in the three years between his plea of guilty and the imposition of sentence.

In general, such cooperation may take the form of providing information or testimony about others involved in the specific offense of conviction (other people involved in writing or distributing Melissa?), people the defendant knows are involved in other criminal offenses (contributors to virus forums and BBSs?), or by providing technical or other assistance (e.g., undercover work?) in unrelated cases.

The government constantly and appropriately warns companies of the dangers of "hiring" convicted computer hackers. They are untrustworthy and unreliable -- according to the government. And yet, hasn't the government "hired" David Smith? In exchange for more than eight years of his life (the guidelines sentence was 10 years, not 20 months), he provided information, cooperation and technical assistance.

What is even more disingenuous is the fact that the government initially called the 10 year potential sentence appropriate. And now they call the 20 month sentence an appropriate deterrent. Which is it? Should David Smith's offense result in 10 years or 20 months in jail?

Because Smith promptly accepted responsibility for his actions, I believe that 20 months was the right mix of punishment, deterrent, retribution and reward. But the current sentencing scheme unfairly rewards those who have the knowledge and ability to help the government prosecute others, and punishes those who, because of lack of knowledge or sophistication, or because their offense involved a single act with no other persons involved, lack the ability to cooperate. Sentences should be appropriate to the offense at all times -- not just for those who act as government stoolies.

Mark D. Rasch is an attorney and technology expert in the areas of intellectual property protection, computer security, privacy and regulatory compliance. He formerly worked at the Department of Justice, where he was responsible for the prosecution of Robert Morris, the Cornell University graduate student responsible for the so-called Morris Worm and the investigations of the Hannover hackers featured in Clifford Stoll’s book, "The Cuckoo’s Egg."
    Digg this story   Add to del.icio.us  
Comments Mode:
Slot Machine Justice for Melissa Author 2002-05-14
Anonymous (2 replies)
Virus Writing Like Burning Cars 2002-05-15
Mark D. Rasch (1 replies)
Virus Writing Like Burning Cars 2002-05-17
Anonymous (1 replies)
Virus Writing Like Burning Cars 2002-05-18
Mark D. Rasch (2 replies)
What loss? 2002-05-22
Bugman (1 replies)
What loss? 2002-05-23
Virus Writing Like Burning Cars (hmmmmm) 2002-05-28
Pierre Vandevenne


Privacy Statement
Copyright 2010, SecurityFocus