Cyber crime sentencing is out of whack

Cyber crime detection and punishment has made great strides, but as the Aaron Swartz tragedy illustrates, some prosecutors must be reigned in

Page 2 of 2

Likewise, the RIAA has successfully charged people caught with a few dozen songs thousands to millions of dollars, and our court system backs up the organization all the way. Somehow the RIAA has convinced the court system that a single stolen song on a college student's hard drive is worth tens of thousands of dollars in lost revenue. Please! These huge RIAA settlements look especially ridiculous when compared to the fines levied against offline criminals who commit worse crimes.

I know that many of the excessive sentences are fringe cases. The majority of hackers who've been caught are receiving sentences that fit the crime, more or less. The Sarah Palin email hacker served less than a year in jail. The average Anonymous hacker who caused significant damage is seeing prison sentences of between three and seven years. Most credit card thieves serve about the same amount of jail time.

I'm sure part of the problem, for prosecutors, judges, and juries is determining the extent of the damage caused. For instance, the biggest spammers sent literally hundreds of millions of spams a day. But out of each million spams, maybe six people (a figure I've heard repeated many times over the years) incur actual damage -- from fake medication, for example. Of course, I'm not counting the bandwidth we're all paying for to transmit that spam, but I'm sure some quick calculations would yield a rough dollar value.

Likewise, if a virus infects tens of millions of computers and causes problems with hundreds of thousands, what is the real cost of the damage incurred? Denial-of-service attacks could be valued at the lost revenue or reputation the victim suffered during the attack, along with the costs of recovery and future protection.

We need to update Title 18, Section 1030 of the Computer Abuse and Fraud Act to include damage formulas for various types of computer crime, the intent of the computer hacker (degrees of maliciousness), and the number of victims. As the Swartz case highlights, prosecutors are being given way too much leeway in sentencing.

Given the technical nature of calculating the effect of cyber crime, perhaps we need narrow sentencing guidelines to ensure fairness. I'm all for criminal hackers being punished, but I also want the punishment to fit the crime.

This story, "Cyber crime sentencing is out of whack," was originally published at Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at For the latest business technology news, follow on Twitter.

| 1 2 Page 2
Cybersecurity market research: Top 15 statistics for 2017