Do Punishments Fit the Cybercrime?

The March 25, 2010, sentencing of hacker Albert Gonzalez to 20 years in prison and millions of dollars in restitution was historic because it was the stiffest verdict imposed for a financial crime, and the longest US prison term in history for a cybercrime. It dwarfs the sentence recently imposed on hacker Max Ray Vision, who received 13 years in prison for similar crimes.

Gonzalez (aka ‘soupnazi’, ‘cumbajohnny’, ‘j4guar17’, or ‘segvec’) was sentenced for leading a gang of cyber thieves who stole more than 130 million credit and debit card numbers from TJ Maxx (TJX) and other retailers. Gonzalez’s sentencing followed two others related to the TJX hacks.

In December 2009, Stephen Watt, a former coder for Morgan Stanley, was sentenced to two years in prison for providing the sniffer that Gonzalez used in the TJX hack. Watt was also ordered to pay restitution to TJX, jointly with other accomplices, in the amount of $171.5 million.

Additionally, Humza Zaman, a former network security manager at Barclays Bank, was sentenced to 46 months in prison and fined $75 000 for serving as a money courier for Gonzalez. He was charged with laundering between $600 000 and $800 000 for the famed TJX hacker.

Gonzalez was also concurrently sentenced in another case involving breaches at Heartland Payment Systems (a New Jersey card-processing company), Hannaford Brothers supermarket chain, 7-Eleven and two national retailers that are unidentified in court documents.

Setting a Precedent

In light of the relative impunity with which cybercriminals currently operate, the argument can easily be made that both national and international law enforcement communities are ill equipped to stem the rapidly rising tide of cybercrime. Prior to the Gonzalez sentence of “near-life” for computer fraud, there was a marked absence of tangible or identifiably deterrent sentences for digital crime. If the 1999 highly publicized criminal conviction of notorious hacker, Kevin Mitnick – involving a five-year prison term and $25 000 in restitution – was intended to ‘send a message’ to other would-be hackers, then the message was lost on Gonzalez and his gang. Gonzalez dubbed his criminal enterprise ‘Operation Get Rich or Die Tryin’, and confided to accomplices that his goal was to earn $15 million from his schemes, buy a yacht and retire.

Gonzalez was well on his way to achieving his goal when he was finally jailed six years into his crime spree. Regardless of his near-life sentence, skilled and increasingly unskilled cybercriminals are being lured by the internet’s perceived anonymity and ubiquity, combined with a potentially fast, easy financial gain. It is doubtful that stiffer sentences will substantially impact the cybercrime juggernaut.

Right Under Our Noses

The Gonzalez case was also historic from another perspective. It is emblematic of not only the transformation in how computer crimes are being perpetrated, but it also sheds light on the subsequent evolution of how these crimes are being investigated.

Cyber security and law enforcement communities have progressively improved their ability to deal with cybercrime, largely as a result of increased spending, training, and bringing ‘non-traditional’, sometimes controversial tactics and techniques to the exploding threat space. The Gonzalez case provides a textbook example of how one such controversial technique can backfire on law enforcement.

Gonzalez initially popped up in a law enforcement dragnet in 2003, when he was arrested for making fraudulent ATM withdrawals in New York. Under the nickname ‘Cumbajohnny’, he was, at the time, a top administrator on a carding site called “Shadow crew”, where crooks trafficked in stolen bank card data and other goods. Upon discovery of how central his role was in the carding community, the US Secret Service freed him but then hired him to work undercover on the site. Gonzalez then lured his associates into using a supposedly secure virtual private network (VPN) that was wiretapped by the Secret Service.

After a year-long undercover sting operation, 28 members of the site were arrested, and the site was taken down. Although Gonzalez continued to help the Secret Service as a salaried employee, earning $75 000 a year, he adopted a new online identity, ‘segvec’, and resumed his criminal activity under the noses of the agents who were paying him. He ramped up his activities to a level that far exceeded any crimes he had committed prior to his arrest. Until it was discovered in May of 2008, law enforcement had no idea that the ‘segvec’ they were furiously chasing for more than a year was, in reality, a salaried informant employed by the Secret Service.

Legislation that’s Behind the Times

From a legislative perspective, many existing criminal laws in national and international jurisdictions were originally drafted to deal with physical acts, and thus do not clearly prohibit equivalent virtual acts performed online. Historically in the US, the use of electronic surveillance for legitimate purposes such as intelligence and law enforcement investigation, as well as for illegitimate purposes, spurred the enactment of a number of laws intended to comprehensively address such activities.

Congress passed the first federal wiretap statute as a temporary measure to prevent disclosure of domestic telephone or telegraph communications during World War I. Despite several notable legislative advances since then, very specific US computer crime statutes, such as The Wiretap Act or the Computer Fraud and Abuse Act, are woefully outdated and inadequate to handle the pace of technological advancement in today’s world. The Computer Fraud and Abuse Act was written in 1986, before information systems became such an integral part of American life. Consequently, prosecutors must find plausible ways to apply the law, hope that the judiciary and juries understand the severity of the crime and can, within the limitations dictated by the law, penalize appropriately.

The salient lessons to be learned from the legislative challenge is that several jurisdictions have yet to update their laws to prohibit ‘new’ crimes such as hacking and denial-of-service attacks, or to penalize these crimes sufficiently to act as a deterrent. Furthermore, many of those jurisdictions that do have clear criminal laws also have not adopted the procedural mechanisms necessary to enable law enforcement to investigate cybercrime effectively, or they may not have established treaties and policies that permit international cooperation, which is essential in combating cybercrime.

Industry has been helping to support the development of strong international legal regimes in a number of ways, including efforts to amplify the message of encouraging countries to adopt and ratify the Council of Europe Convention on Cybercrime. It’s a powerful international instrument on cybercrime, and is increasingly viewed as providing a global standard for criminalization obligations and governmental cooperation in this area. The Convention on Cybercrime provides an important baseline for effective international cybercrime enforcement by requiring signatories to update and adopt laws and procedures to address crime in the online environment by providing for mutual investigative assistance between signatories.

We’ve also seen very tangible results of industry identifying those areas where existing laws are inadequate, bringing them to the attention of lawmakers and supporting efforts for reform, such as anti-spam legislation and the recent Botnet Task Force led by Microsoft.

Despite recent upswings in the number of stiffer penalties and fines for cybercrimes, the requisite level of deterrence is still missing, and the tide of cybercrime continues to rapidly rise. The challenge of disparate national and regional laws and practices concerning the investigation and prosecution of cybercrime, data preservation, protection and privacy is substantial, but until these issues are resolved they will continue to stymie national and international law enforcement efforts.