The infamous hacker Albert Gonzalez was recently sentenced to 20 years in prison for his role in stealing approximately 130 million credit and debit card numbers. This punishment, the harshest ever handed down in an American court for a computer crime, marks progress in the battle against cybercrime. In most cases, however, the penalty does not fit the cyberattack, sending a dangerous message to cyberthieves that the crime is, in fact, worth the risk.
While Gonzalez will serve a lengthy prison term for his criminal exploits, others who helped him face lesser penalties. Jeremey Jethro, who provided Gonzalez with a zero-day exploit code that hacks into Internet Explorer, received a slap on the wrist for his role in one of the greatest cybercrimes in recent US history. Even though Jethro was paid $60,000 for the malicious code, he was only sentenced to three years probation and a $10,000 fine. While Jethro’s attorney claims that the malware was a dud and her client was unaware of Gonzalez’s ultimate intention, the fine still doesn’t even cover the entire amount Jethro received for his crime. Factoring in the additional expense of the trial, it’s evident that Gonzalez’s accomplice got away with an incredibly light punishment.
In another recent cybercrime case, the father and son team of Robert and Todd Cook pled guilty to selling $1 million of counterfeit software. The two cybercrooks, who will be sentenced on June 18, face up to five years in prison and a $250,000 fine. Even if the duo receives the maximum penalty, they still stand to profit $250,000 each. If sentenced to the full five-year prison term, each will make $50,000 per year of incarceration. It seems safe to say that most cybercriminals would happily endure a similar punishment for that kind of payoff.
There are countless other cases of the punishment not fitting the cybercrime. In 2008, a New Zealand teenager accused of a variety of online crimes that carried a maximum punishment of seven years in prison was acquitted of all charges. The youth was then rewarded for his hacking expertise with a job as a security consultant. While there is a definite need for “good” hackers, how many other computer experts will choose to pursue cybercrime in light of the minor risk versus the high reward?
Even more troubling is the fact that most cybercriminals do not face any repercussions for their acts. Exact statistics vary, but it is widely accepted that the likelihood of being caught and prosecuted for a cybercrime is less than one percent. If law enforcement has this much trouble pursuing offenders, harsher punishments for online crimes must be enforced in order to send the message that the risk is not worth the reward.