In 1995, Angelina Jolie portrayed a computer hacker that went by the alias Acid Burn. At the time, I had limited access to movies, as well as most other forms of entertainment and culture. I was not aware of seminal hacker movies such as Wargames or Sneakers (if you have not yet seen these, drop what you’re doing and go watch them now), but it was enough to reinforce my conviction to someday work in the field of computer security. The world has changed a lot since then. Even the term hacker has mutated from the definition I originally learned from reading 2600 articles. Today, perpetrators of large network floods are called “hackers” in the press.
That aside, when these hackers are caught, they are almost universally despised by their victims [1] [2]. In many cases, these people have caused severe damage to their victims, but in many others it can be quite minor. The fate of such a convicted criminal depends on what jurisdiction they are charged in. For example, in Florida a fourteen year old eighth grader faced felony charges for changing his teacher’s desktop wallpaper. A recent prosecution in Finland resulted in a two year suspended sentence for a 17 year old perpetrator. (This being one of the members of the now infamous LizardSquad.) Imbalanced justice, based on the damage that each of the defendants caused.
Punishment doled out to a cyber criminal should be dealt with some discretion. Sentences should take into account factors such as the financial damage caused by a perpetrators attack. Pressing charges should also weigh if the damage caused was intentionally malicious, as in many cases things are broken by hackers in order to fix them, or inadvertently found by accident. Decisions surrounding these kinds of issues could also make a precedent for protection for people accidentally participating in botnets, who may be found guilty of damaging someone’s network without ever having willingly participated.
Bug bounties are a great positive use of these “grey hats”. The Electronic Frontier Foundation has some great ideas about advancing the rights of hackers, whether they are young, old, vicious or altruistic. If you feel strongly about this topic, write to your representatives and implore them to review balanced policies suggested by the EFF. We’re moving into a time that cybersecurity law is going to play a huge role in internet, and after having no response to cyber attacks, the new approach is crushingly harsh in some countries, and too light in others. We have to be careful to consider the source, to both protect victims of cyber attacks and to protect people from punishments for unintentional damage.