Prison sentences can be used to punish hackers and cybercriminals, but don't expect them to deter future hack attacks or cybercrimes.
See Also: IoT is Happening Now: Are You Prepared?
Take the case of Silk Road mastermind Ross Ulbricht, a.k.a. "Dread Pirate Roberts," who Judge Katherine Forrest of Manhattan's U.S. District Court for the Southern District of New York on May 29 sentenced to life in prison. Silk Road was a notorious online narcotics marketplace - an Onion site reachable only by using a Tor browser - that came to represent the black-market economies at play on the so-called "darknet."
The truth is, hackers - like most criminals - do not consider the consequences of getting caught; they do not think they're going to get caught, arrested or prosecuted.
In February, after a four-week jury trial, Ulbricht was convicted of all seven counts filed against him. Prosecutors then wrote to Judge Forrest, asking that she impose "a lengthy sentence, one substantially above the mandatory minimum," in part because it would "send a clear message" to anyone who might attempt to emulate Ulbricht, Wired reports.
Judge Forrest went well beyond that, slamming 31-year-old Ulbricht - a former engineering graduate student who said he wanted "to use economic theory as a means to abolish the use of coercion and aggression amongst mankind" - with five sentences, including two for life. All are to be served concurrently, leaving him no chance of parole. He's also been ordered to forfeit $184 million.
"The stated purpose [of Silk Road] was to be beyond the law. In the world you created over time, democracy didn't exist. You were captain of the ship, the Dread Pirate Roberts. You made your own laws," Forrest told Ulbricht as she read the sentence, the Guardian reports. "There must be no doubt that you cannot run a massive criminal enterprise and because it occurred over the Internet minimize the crime committed on that basis."
But when it comes to deterrence, the court was arguably too late. Indeed, just one year after shutting down Silk Road and arresting Ulbricht, in November the FBI said it arrested 26-year-old Blake Benthall, a.k.a. Defcon, in San Francisco on charges that he owned and operated a site that billed itself as Silk Road 2.0. And Silk Road was only one of a number of online sites that styled themselves as an Amazon-like marketplace for illegal goods.
The rise of such sites should be no surprise, given the potential profits to be earned. According to the FBI's criminal complaint against Ulbricht, Silk Road earned Ulbricht up to $20,000 per day in bitcoin commissions, or $3.4 million in total.
The need to deter future criminals has been cited in numerous cybercrime cases, such as the case of 22-year-old Canadian David Pokora, a.k.a. Xenomega (see Will Xbox Hacker Sentence Deter Others?). In April, he was sentenced to 18 months in U.S. prison after pleading guilty to participating in a hacking ring that successfully stole data from a variety of gaming-related businesses (see Third Microsoft Hacker Pleads Guilty).
Prior to Pokora's sentencing, prosecutors suggested that a severe sentence would deter other criminals. "The sentence imposed on defendant must promote respect for computer fraud and intellectual property laws and attempt to deter both defendant and all others engaged in similar crimes - both in the United States and abroad," Assistant U.S. Attorney Edward J. McAndrew wrote in a letter to the court. "The sentence must debunk the notion that international cybercrime is not serious here, even if it is less so abroad."
But while it's easy to suggest that U.S. sentencing decisions serve a deterrence effect, the facts of the Pakora case undermine any suggestion that hackers might be running scared. Indeed, according to U.S. prosecutors, he "is the first foreign hacker convicted in this country of crimes involving the theft of trade secrets."
Mark Rasch, a former U.S. Department of Justice official who created its computer crime unit, and who's now chief security evangelist at Verizon, tells me: "Let's face it, the U.S. government is saying this is the first trans-border intellectual property theft criminal prosecution for hacking they've ever done. How much deterrence can you get, when this is the first one, and this type of attack has been going on for 20 years?"
Few cybercriminals at home or abroad worry about the nuances of U.S. laws or sentencing guidelines. "The truth is, hackers - like most criminals - do not consider the consequences of getting caught; they do not think they're going to get caught, arrested or prosecuted," Rasch says. "And most of what they know about the criminal justice system, they know about from television, movies and whatever information they glean from the Web," he says (see FBI Hacker Hunt Goes 'Wild West').
'Making an Example' of Hackers
The need to "make an example" of some hackers arguably also results in their being hit with especially harsh sentences, argues Robert David Graham, head of information security research firm Errata Security, in a blog post.
"The effect of 'setting an example' is this: hackers usually get extra punishments," Graham says. In part, that's because what they're doing doesn't typically square neatly with the existing penal code. "What hackers do is innovate. Whether it's Aaron Swartz ... Ulbricht or a long parade of other hackers, these people challenged the system. Prosecutors had to stretch old laws to fit new actions in cyberspace - often past their breaking point - they sometimes weren't crimes. Ulbricht clearly committed crimes, but in new ways."
Graham makes that point to question the severity of the concurrent life sentences imposed by the judge in Ulbricht's case, the harshness of which he says was inspired by Ulbricht's unrepentant free-market ideals, which his defense team cited unsuccessfully in court.
The judge's sentence - the maximum possible - is already sparking debate. And as her decision gets analyzed, treat with caution any suggestion that the sentence against Ulbricht - or in any other computer-crime case - will deter any such future attacks.