• United States



by Sandy Kendall

Teen Hacker or Cybercriminal: How Do We Draw the Line?

Dec 01, 20033 mins
CSO and CISOData and Information Security

Last month, three 20-year-olds were arrested for breaking into the Lowes Companies wireless computer network from a laptop in their car in the parking lot. Theyve been indicted on charges of conspiracy, wire fraud, computer fraud, unauthorized computer access, intentional transmission of computer code and attempted possession of unauthorized access devices. If convicted on all counts, each of the young men could be sentenced to 170 years in prison. They may have gained access to six credit card numbers.

In Korea, on Nov. 19, 11 members of the hacker clan called Wowhacker, including one teenager, were booked without detention on charges of stealing personal information from websites.

On Nov. 20, 10 teenagers were arrested in La Quinta, Calif., in a scheme to hack into their schools computer system and changes grades and attendance records. The students were suspended, and face expulsion. The punishment possible from the law is a fine up to $10,000 and a prison term of up to three years.

In England, an 18-year-old appeared in court on Nov. 21 for a June 2002 incident, when he hacked into the Fermi Nuclear Laboratory system. He was using the system to get free music and videos from the Internet, but it sparked a three-day shutdown of the facility. Legal authorities have called him naïve, pleasant and cooperative, but still the Magistrate told the Guardian newspaper, At this stage I am not giving you any promises how the court will deal with this matter.

We frequently read that most hackers are either teenage boys or young men who act like they were still teenage boys. Most hacks are primarily a way of showboating. The kids (or emotionally retarded adults) are demonstrating to peers and to hoped-for girlfriends that they can outsmart the powers that run the worlds businesses and governments. And they can.

Many analysts dont care. They argue quite rationally that the constant barrage of little non-malicious hacks wreaks as much havoc on corporate America as does deliberate sabotage from the extortionists and even terrorists. They say the damage must stop.

When hackers are caught, there can be convoluted pressures for and against tough punishment. Youth is one consideration. Prior record (or lack thereof) is another. Cooperation and contrition play a part, and so of course do material losses. Blaster and its variants, for example, have reportedly cost businesses more than $1.3 billion.

What are the courts to do? On the one hand are those who want to throw the book at the offenders, teenage misfits or not. As a columnist at The Pacific Daily News (Guam) writes: We send people to prison for robbing a gas station of $85, and we should. But computer hackers, bless their pointed heads, have lost America billions of dollars, and we still look at the damage they cause as little more than kids pranks.

On the other hand are those who think that making examples out of script kiddies is a waste of time, money and the potential of young lives. They say punishing non-malicious hackers is not as important as beefing up corporate security and busting real cybercriminals like hacker collectives in China or extortionists from Russia.

Should we draw a line between heedless boys trying to impress their buddies with coding exploits and cunning criminals who are bent on destruction? How can we make the punishment fit the crime of hacking?