Why Law Enforcement Can't Stop Hackers
The Resource Problem
Besides the explosive number of hacking incidents taking place every month, the fact that law enforcement officials are stretched thin across different types of cyber threats makes it even more difficult for them to stem cybercrime.
Keith Chval, the former and first-ever chief of the Illinois Attorney General's Office's High Tech and Computer Crime Unit, says that for the most part, law enforcement officials' first priority is online child exploitation cases. Because investigating child pornography and related crimes draws on the same staff as computer intrusions, says Chval, fewer people are left to investigate data breaches.
In addition to more investigators, law enforcement agencies need ongoing training to keep up with new technologies and with the evolving schemes hackers use to commit their crimes, adds Chval, who now runs Protek International, a computer forensics and investigative services firm.
"When you get to the point of seizing computers with a search warrant or otherwise gain access to evidence, it needs to be examined properly," he says. "The investment in people and their training is significant, and that's challenging in our current economic situation. The physical facilities, the labs, to do the forensic work are critical, too. That's been a real backlog in the system: There are cases where forensics need to be completed before they can move forward."
Purdue University's Spafford criticizes federal legislators for not taking cyber-crime seriously and for not giving law enforcement officials the political and financial support they need to fight it.
"It's interesting to note the way legislators do react to cybercrime," says Spafford, who started and directs Purdue University's Center for Education and Research in Information Assurance and Security. "They require companies to disclose breaches. There's legislation that would set new regulations on software suppliers and the people who configure the systems, but there's been no budgeting to add law enforcement to investigate those breaches. For law enforcement to succeed, they need money for training, equipment, and they need political support to do these investigations."
When cybercrimes span state and international boundaries, investigating them gets even more complicated, adds Spafford. "If you're trying to get logs or assistance remotely, it is very difficult with some countries to get the cooperation of their law enforcement, especially if the crime is being committed by someone in their country," he says. "That's another area where the government could help, by putting pressure on countries that have been unwilling to assist in the investigation of crimes."
Prosecution and Prison Sentences
Former cybercrime investigator Rogers says prosecuting cybercrime cases is "usually pretty cut and dried." The evidence linking a hacker to a crime is hard to dispute because every activity on the Internet leaves a trail, he says.
"Usually there's nothing more than a token effort to defend it," says Rogers. "The evidence really stands up if you've done it [the investigation] correctly."
That leaves sentencing. Judges impose prison sentences for three main reasons: 1) as punishment; 2) to prevent the convict from carrying out the same crime again (at least while they're incarcerated) and 3) to discourage others from participating in the same crimes.
Prison sentences for hackers vary by jurisdiction. If the crime is federal, prison sentences are set according to federal sentencing guidelines. The maximum prison sentence for one common hacking charge—accessing a protected computer without authorization—is five years in prison and a fine of up to $250,000. The maximum prison sentence for another common hacking charge—intentional damage to a protected computer—is 10 years plus a fine of up to $250,000.
Hackers are also often arrested on conspiracy charges, which carry a maximum penalty of five years in prison and a $250,000 fine.
The cybercrime and law enforcement officials interviewed for this story don't see any problems with the sentencing guidelines. The problem is that hackers rarely serve maximum sentences. Albert Gonzales is one of the few who is doing serious time—20 years. Consider the following examples:
- Robert Moore was sentenced to two years of prison for hacking into the networks of Internet phone companies. He was up against a maximum five years.
- David Kernell, who hacked into then vice presidential candidate Sarah Palin's Yahoo email account at age 20, was sentenced to 366 days at a rehabilitation center, where he was allowed to continue his college studies. Kernell also faced a maximum five years.
- Miley Cyrus hacker Joshua Holly got just three years' probation for spamming and computer fraud. He could have been sentenced to 10 years in jail.
Because the evidence against them is usually so incriminating, hackers often enter plea agreements with prosecutors, where they plead guilty to all charges in return for a more lenient sentence. In a plea bargain, the criminal might also agree to cooperate with prosecutors on other cases by serving, for example, as an informant or witness.
While plea bargaining has its benefits (prosecutors get freed up to work on other cases, often with the help of the convict), it weakens the deterrent effect that prison sentences are intended to have.
"The sentences that people are getting don't really seem to have any deterrent effect," says Rogers. "Hackers realize if they get caught, they might get five to 10 years, but when they get out, they'll have a book deal, make a TV movie or become a consultant. In some cases, that's what happens," adds Rogers, referring to Kevin Mitnick and Kevin Poulsen, two of the most famous hackers of all time. Mitnick is now a security consultant and sought-after speaker. Poulsen now works for Wired as a senior editor.
Another reason hackers tend to get lenient sentences is because they're often young, says Chval. He points to Joshua Holly, who despite having about 200 stolen credit card numbers stored on his computer, didn't serve a day of prison time.Chval realizes that judges have to strike a balance when sentencing young hackers: They don't want to be overly harsh on defendants who are essentially kids, not hardened criminals, with no prior offenses. Nor do they want to overreach with draconian sentences designed to send a message to other young hackers simply because law enforcement doesn't have the resources to investigate and prosecute all of these cybercrime cases, says Chval. But, he adds, striking this balance comes at the expense of deterring other young people from computer crimes.
"Obviously, kids aren't getting the message about the seriousness of cybercrime, of hacking," he says.
Hacking: A Social Problem
Chval and Rogers believe that the individuals the FBI arrested this summer for their alleged involvement with Anonymous will get harsher sentences if convicted because they taunted, embarrassed and attacked government Websites and financial institutions. Prosecutors may finally have their opportunity to exemplify these young hackers as a cautionary tale.
But for law enforcement to have any real impact staunching cybercrime, experts agree they need to raise the public's awareness that hacking is a real crime with real victims.
Part of the reason hackers, particularly the younger ones, get lenient sentences is because judges have to weigh a potential backlash if the public sees them as being too harsh for sending "a college kid who made a mistake" to federal prison for five years, says Chval. The potential public relations backlash suggests that the public doesn't understand the severity of these crimes, he adds.
"Parents need to talk to their kids about [illegal] music downloading," says Chval. "It's all part of the same realm. A kid who doesn't see anything wrong with downloading music he hasn't paid for probably wouldn't see much wrong with taking credit card numbers. It's a slippery slope when you start down that path."
Indeed, adds Rogers, the problem with hackers is that they don't see their activity as criminal. "They never see the victims. They never see the impact. All they see is the technology," he says. "For the most part, these people understand right and wrong. They wouldn't rob a bank or engage in other deviant criminal activities, but as soon as technology is involved, that line dividing what's right from what's wrong gets really distorted."
For that reason, Rogers would like to see classes on ethical computer behavior taught in elementary, middle and high school.
"If we only rely on law enforcement and the legal system to solve the problem, it's never going to happen," says Rogers. "This is a cultural problem. It's an education and awareness problem. It's an ethical problem."
Meridith Levinson covers Careers, Project Management and Outsourcing for CIO.com. Follow Meridith on Twitter @meridith. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Meridith firstname.lastname@example.org.