A common frustration among those in the more technical circles of society is the apparent inability of law-makers and prosecutors to provide a real deterrent to cybercrime in the courts.
Many of the judges gathering dust in courtrooms up and down the country either fail to comprehend the seriousness of crimes committed online or simply fail to comprehend, full-stop.
So for those of the 'lock 'em up and throw away the key' school of thought there was good news today with the sentencing of a British man who committed the largest known identity theft, affecting 30,000 people and resulting in losses of $2.7m. The man worked as a help desk employee for a large US credit company and while he was there he sold on the details of customers on the credit database.
For his part in the scam he was sentenced to 14 years in prison - no mean sentence by any measure. It certainly puts some of the community service orders and suspended sentences handed to virus writers into perspective.
The reason for such a relatively harsh sentence is simple - the clue is in the $2.7m sum.
It boils down to the fact the judge was given a concrete figure determining what this man's actions had cost. His crime suddenly became comparable to the theft of $2.7m worth of material goods, which is quite a heist.
The problem with convicting virus writers is the fact the damage they do is rarely quantified in these terms. While their actions may costs businesses worldwide millions of pounds, such figures are rarely supported in court or treated as anything more than supposition.
Many companies will repair the damage and get on with life as normal. Many will do so quietly, not choosing to shout about the fact they were hit by a virus, especially any publicly traded companies or those who should have known better than to be hit in the first place.
As such the actual damages are never brought to light or conveyed effectively to the judge or jury and the individual gets tried for little more than spreading a virus, consequence unknown.
If we are to see a greater array of convictions for cybercrime we need to have in place a recognised means of quantifying and reporting the damage done and a way of conveying to a judge that £1m of malicious or wanton damage online is exactly the same kind of crime as £1m of malicious or wanton damage in the real world.
Comments
There are 2 comments. Join the discussion
1. John Woods
As usual, it's because no-one understands statistics. Figures of £millions for viruses are pure supposition. But it should be reasonably easy to come up with a figure that we were 99% sure had been exceeded.
2. Justin Wheatley
But who is going to put the bell around the cat's neck?
It sounds like a great idea, but somebody has to stand up and do it. It's expecting a lot of the larger companies (who albeit have the means and manpower available) to make an exhibition of themselves by helping bring-down an individual for massive consequential losses when "all they did was release some naughty software". Where there's an identifiable individual victim or victims of a crime, it’s usually the state that steps-in to defend them. Likewise here, individual victims are difficult to bring forward, but all companies acknowledge that they face the threat of such assaults, so they would probably subscribe to a group focussed on defending them. It would be another form of preventative action that might look good to shareholders rather than embarrassing.
Perhaps there's a gap in the market for an astute law firm to offer a legal defence subscription for such things so that it's no longer individuals who have to come-forward? Anonymous evidence collected from subscribers would be just as weighty, but far less damaging to reputations.
Shame I don't have the experience or knowledge, but many do...