Will the sentences imposed by courts really serve as a deterrent against virus writers, asks Madeline Bennett.
German law enforcement agencies had a success this month with the arrest of the teenager thought responsible for the Sasser worm. The investigation – involving German police, the FBI and Microsoft – and subsequent arrest were hailed as an example of how joint efforts by industry and government agencies can get results.
The outcome was also touted as a success story for Microsoft’s scheme launched late last year to offer cash rewards for information about the identity of virus writers.
But catching a suspect is only one step. It’s no use getting the culprit to court if they are let off with a slap on the wrist or a nominal community service order.
One sure-fire way to ensure harsher penalties would be for firms to start being a bit more open about the damage inflicted to their systems. If judges were presented with hard data about financial losses inflicted by worms or hack attacks, collected from a range of companies, they would be more likely to impose suitable sentences.
However, I don’t think many companies are happy publishing this type of data without safeguards in place to protect their reputations – and rightly so. It’s still the case that admitting to being hit by a virus or denial-of-service attack doesn’t go down well with customers and investors.
Initiatives such as the National Hi-Tech Crime Unit (NHTCU)’s Confidentiality Charter have been designed to allow firms to report attacks with the knowledge that the information will remain confidential. Such schemes are welcome, but more needs to be done to inform firms of their existence and to build up trust with potential contributors.
All-party lobby group Eurim has proposed another way of tackling the problem of internet crime. It recently released a paper arguing that a lack of IT forensic experts in the police and industry is hampering investigations and reducing the chances of obtaining successful prosecutions. It is therefore calling for the government to develop guidelines for computer crime investigations, and it wants certification schemes to be introduced for mid-level forensic computing skills.
And we also have an update of the Computer Misuse Act on the cards, to ensure the law adequately covers all types of computer-related offences, and to close loopholes.
However, even with adequate laws and skilled investigators, there is still a risk that convicted offenders will get off lightly.
Going back to the Sasser case, teenager Sven Jaschan could face up to five years in prison for the damage he’s accused of having caused. But I doubt very much that such a stringent sentence will be handed out. A suspended sentence, community service, or a slap on the wrist and “no more computers for you, sir” are all much more likely outcomes if he’s found guilty.
Indeed one group of well-wishers even set up a support fund for Jaschan, collecting donations to help with legal fees in return for the service he’s done by highlighting the weakness of IT security. (For those readers keen to donate, I’m sorry to say the Sasser Support Team ended its fundraising drive after unsuccessful attempts to contact the man himself).
Until we stop making excuses for these people and see them for what they are – law-breakers as opposed to mischievous pests – any drives to combat computer crime will be severely hampered.