Cybercrime and Punishment: Who’s Actually Paying the Price?

It seems that a week doesn’t go by where there isn’t news of a major data breach or intelligence dump. Yesterday gave us something slightly different, but still a variation on the same theme. On Wednesday March 15, 2017 the Justice Department indicted four defendants – all with ties to Russia – for an array of computer and hacking crimes. The fact that two of the defendants are Russian FSB officers makes for an even more intriguing story, but that’s not the angle I’ll pursue in this post and there are more than a few worth chasing down. I'll wait to tune into tomorrow's edition of UNM4SK3D to get the details, but this development has presented me with the opportunity to investigate something that’s nagged at me for a while: what are the laws governing cybercrime, and more importantly, what are the penalties and how often have they been imposed?

The Charges

Before moving on to the laws and punishments for computer and cybercrime, a quick overview of the Justice Department's indictments is in order. Setting aside a moment the egregious violation of trust between the FBI and their Russian counterpart in the FSB, there is quite a bit of offense to go around.At its core, the defendants gained unauthorized access to at least 500 million Yahoo! accounts. From there, a variety of exploits occurred ranging from using stolen information to compromise other accounts and systems to stealing Yahoo! intellectual property to good old fashioned online scamming in the form of stealing credit card and gift card account numbers and redirecting some of Yahoo’s search engine traffic to make commissions. Spamming even found its way into the mix with stolen Yahoo contacts being the lucky recipients of spam messages.The full litany of charges can be found on the Justice Department’s website compiled into convenient tabular form. Potential penalties range from terms ranging from 5 to 20 years. The Justice Department is seeking extradition of the defendants to the United States for prosecution. I’m sure the Russian government is getting right on that considering there is no extradition treaty in force between the U.S. and Russia. Not to mention it appears the Russian government was behind the hack.

Notable Cybercrimes from History

In the meantime, it’s worth examining some high-profile cases that have been successfully prosecuted over the years since a very small number of computer and cybercrime cases ever make it that far. The primary reason for this is that cybercriminals are usually difficult to catch. Either they elude detection, or if they’re identified, in many cases they are in countries such as Eastern Europe that don’t have extradition treaties in place with the United States. But every once in a while law enforcement finds a bone:

• Kevin Mitnick was one of the earliest cybercriminals – at least one that got nabbed and successfully prosecuted. He was sent to prison on two separate occasions – the last time for five years. Mitnick was a master of social engineering and employed it with an almost pathological zeal. Reading his Wikipedia entry paints the picture of an online kleptomaniac. Today, Mitnick runs his own cybersecurity firm and appears to have mended his ways to become an ethical hacker.
• Lauri Love is a British national currently awaiting extradition to the United States to face criminal charges for stealing data from computers belonging to the Federal Reserve, the US Army, Missile Defense Agency, and NASA. Those look like the acronyms of agencies you probably don’t want to mess with. Love faces up to 99 years if convicted of all charges. An extradition treaty exists between the US and the UK and a British magistrate ruled that Love should be extradited. Love’s defense attorney has cited Love’s diagnosis of Asperger’s syndrome along with eczema and psychosis as extenuating conditions to block his extradition.
• In one of the more wacky cases of computer hacking, the St. Louis Cardinals were caught hacking into the Houston Astro’s database. The case was handled internally by MLB which dished out the punishment: the Cardinals will lose two drafts picks and were forced to pay a $2 million fine. The Astros are the beneficiary of both the picks and fine. The former Cardinals executive charged with the hacking has received a lifetime ban from MLB joining Pete Rose in that exclusive Hall of Shame. He was the only person punished in the case.

Since hackers and cybercriminals in general are so tough to catch - let alone prosecute - attention is turning to plucking the low hanging fruit in the way of insiders gone bad. Some of the largest security risks exist in insider threats and since more focus is now being placed on them; it only makes sense that prosecution rates for this group is on the rise. It also helps that they’re most likely still in the country unless they’re savvy enough to flee somewhere beyond the reach of law enforcement.

There's a new Sheriff in Town?

Extradition barriers notwithstanding, as in the case against the Russian Yahoo hackers, the Justice Department is hoping to send a message. Officials believe that bringing these charges will serve as a warning to adversaries that there will be consequences for targeting American companies for traditional spying or financial gain. This tact is similar to the one taken when similar charges were levied again five Chinese military officers in 2014 accused of economic espionage against American companies and a labor union. FBI Director James Comey issued a statement declaring his intentions, “We are shrinking the world to ensure that cybercriminals think twice before targeting U.S. persons and interests.”Some resources worthy of your attention are the Computer Fraud and Abuse Act, the FBI's Cybercrime page, and of course the numerous courses right here on Cybrary.it dealing with Computer Forensics, Ethical Hacking, and Cybersecurity in general.