Is U.S. computer crime justice draconian?
See Also: Threat Intelligence - Hype or Hope?
That's one obvious question following Britain's high court ruling that Lauri Love, a man who's suspected of stealing data 2012 and 2013 from numerous U.S. government agencies, including the FBI, US Army, Department of Defense, NASA and the Federal Reserve, would not be extradited to the U.S., in part because of judges' poor view of the U.S. justice system (see British Hacking Suspect Avoids Extradition).
"No country has a monopoly on justice in cybercrime cases."
The U.S. government sought Love's extradition, which he fought. And on Feb. 5, England's Court of Appeal ruled that 33-year-old Love would not be extradited on two grounds. First, Britain's Crown Prosecution Service declined to prosecute Love, but could still do so, and must review whether it will. Second, the British court said the U.S. justice system could not be trusted to treat Love humanely. The judges wrote that his incarceration in the U.S. would be "oppressive by reason of his physical and mental condition," which includes severe depression and Asperger Syndrome.
Love isn't the first British individual who's been accused of hacking the U.S. government who U.K. ultimately chose to not extradite. In 2012, after a decade-long case, the government rejected a U.S. extradition request for Gary McKinnon, who said he'd been looking for evidence that the U.S. government was covering up the existence of UFOs.
But terrorism analyst Michael S. Smith II, speaking with Britain's Channel 4 News, says that the U.K.'s failure to extradite computer criminals "creates a dangerous precedent in terms of U.K. government signaling to a range of illicit actors that it's going to limit our capabilities to pursue justice, when these crimes occur."
ATT Friends in UK: Earlier today, I did an interview with @Channel4News re the implications of @LauriLove's extradition appeal. Put simply, the ruling will negatively impact the US's abilities to deter foreign hackers from targeting government systems and critical infrastructure.— Michael S. Smith II (@MichaelSSmithII) February 5, 2018
But some legal experts have long questioned the supposed impact of U.S. deterrence (see The Myth of Cybercrime Deterrence).
"The truth is that cybercrime occurs for a lot of different reasons, and is very rarely deterred by the threat of punishing someone else," says Mark Rasch, a Washington computer crime attorney who formerly worked as a trial attorney for the Justice Department.
As with murder, espionage or innumerable other crimes, "no one reads an article about someone being prosecuted for cybercrime and says, 'You know, I was planning on doing it, but now I won't'," he adds.
US Sentencing Guidelines
In Love's case, Rasch says it's important to clarify Love's assertion that he faces probably 36 months in U.K. prison if convicted of hacking charges, whereas he would have been locked up for 99 years if he'd been found guilty in U.S. court, which Rasch says would have been the maximum time to be served, based on charges filed against him. Instead, federal sentencing guidelines would have applied.
But Rasch contends that U.S. sentencing guidelines can be draconian, especially for computer crimes (see Young Hackers: Jail Time Appropriate?).
"They're inexact and they can be draconian, because they do look at things like economic damage, economic loss and impact," he says. "They don't necessarily have enough flexibility to deal with things like juvenile pranks, and even things like what I would call criminal juvenile experimentation - things that are clearly criminal, you don't want to minimize their impact, you want to say they're clearly criminal, but they're not the same thing as a criminal heist - a gang of organized criminals trying to do something terrible."
A compounding problem, Rasch says, is the disconnect so many people - especially younger individuals - feel when they're sitting at a keyboard. "A lot of kids - and I'll say kids, anywhere from the age of 11 to the early 20s who have not yet developed the type of socialization necessary to not commit crimes, they're really not necessarily thinking about the impact of what they're doing: I can't be committing a crime, I'm just typing," Rasch says.
"When I was 15, the worst I could do is burn the house down. Today's 15-year-olds could shut down the federal reserve," he adds.
Hacker Rehab Bootcamp
Some countries are taking more creative approaches to address criminal hacking.
The United Kingdom, for example, has successfully prosecuted many young hackers. In the case of LulzSec, its youngest member, Mustafa Al-Bassam, who was a 16-year old at the time of the group's summer of 2011 hacking spree, pleaded guilty and received a 20-month suspended sentence and 500 hours of unpaid community work. He's now a PhD student in the Information Security Group at University College London and a cybersecurity adviser to London-based secure payment gateway provider Secure Trading.
If the US's ability to deter foreign hackers is incompatible with other countries' democratic laws, that's the US's problem. The US doesn't own the world. There's absolutely no reason why Lauri can't be tried and prosecuted in the UK, as I was in 2011. https://t.co/Fi9MuyTMll— Mustafa Al-Bassam (@musalbas) February 5, 2018
LulzSec member Jake Davis, who was 18 at the time of the attacks, pleaded guilty to launching DDoS attacks, and received a sentence of 24 months in a young offenders institution. He's now part of a security startup called Skyscape and lectures on the dangers of criminal hacking.
Britain's National Crime Agency, the successor to the Serious Organized Crime Agency that took down LulzSec, has begun testing hacker rehab programs aimed at teenagers who have been caught launching online attacks, in an attempt to entice them away from a life of crime.
Rasch says it's clear that no country has all of the answers when it comes to computer crime and that the U.S. justice system would do well to study what others are doing. "No country has a monopoly on justice in cybercrime cases," he says.