Imagine living this nightmare—you've worked for years on a project, with thousands of hours of irreplaceable data stored on your computer's hard drive. Then one day you turn on your computer and what do you see? Oprah Winfrey appears on your desktop, accompanied by the caption, "Watch Oprah eat." As you watch helplessly in horror, one by one, your files, your hard work, perhaps a career, disappear into the enlarging belly of the image on your monitor. By the time you react, your hard drive has been wiped clean. Cyberpunk novel? Hardly; it's "Oprah," the computer virus, having its premier on your desktop.
In the 1980s the security of a rapidly growing worldwide computer network was increasingly challenged. The very interconnectedness of the Internet became its Achilles Heel, allowing uninhibited transmission of destructive code along with legitimate data. Commercial interests began to clash with electronic thieves and vandals. Along the way, the casual user also got caught up in the free-for-all.
Congress soon responded by passing laws to cover the unauthorized access and intrusion of computers and other electronic media through such means as "hacking," (accessing information by unauthorized means) "phreaking" (hacking the phone system to obtain free calls) and "cracking" (breaking into computer systems, which can involve stealing and/or vandalizing data as well as spreading viruses).
Quite a First Impression
One particularly famous intrusion that resulted in criminal prosecution also produced one of the first federal appellate cases. Robert Morris was a first year Ph.D. candidate in computer science at Cornell.
In October 1988, he began work on a field experiment of sorts to explore the weakness in security programs then in use. Morris planned to feed a program onto the Internet, that once released, would enter computers undetected, and copy itself while spreading throughout the entire system. Ostensibly this was an academic experiment. On November 2, 1988, the program was introduced to the Net via a computer at Harvard, in order to disguise the program's origin.
But Morris miscalculated. As stated, he had constructed his "worm" to keep it undetected and prevent it from using up resources and causing a computer crash. But that is just what happened.
Computers crashed at medical facilities, military installations and universities all across the Internet. When Morris realized the extent of the spreading damage, he reportedly attempted to e-mail programming instructions on how to kill the worm. But by then it was too late. The replicating worm had clogged the network ahead of his message and his emails couldn't get through. One of the first incursions to inflict significant damage, the resulting infection disabled some 6,000 computers causing losses at the affected sites ranging from $200 to $53,000—each.
Morris was prosecuted for violating a federal statute prohibiting the transmission of programs that cause damage to "protected computers." His defense was that he had no criminal mens rea, or criminal intent to damage anyone. But he lost that argument when the court held that the statute didn't require any intent to do anything but access the computers. And United States v. Morris, 928 F. 2d 504 (2nd Cir., 1991) affirmed the conviction of Robert Morris for his role in unleashing the "Internet Worm," also called the "Great Worm" (a reference to Tolkien).
The Statute
In the pertinent language, 18 U.S.C. 1030(a)(5)(A) covers a party who:
(5) intentionally accesses a Federal interest computer without authorization, and by means of one or more instances of such conduct alters, damages, or destroys information in any such Federal interest computer, or prevents authorized use of any such computer or information, and thereby
(A) causes loss to one or more others of a value aggregating $1,000 or more during any one year period;
The Court of Appeals in Morris stated that the adverb "intentionally" only covers the phrase "accesses a Federal interest computer." The remaining language about altering, damaging and destroying etc., is a separate clause that, the court held, was not so modified. In subsequent amendments, Congress modified the language to repeat the word "intentionally," covering both access and damage.
TechNo Cat ’n Mouse
Whatever the intent, corporations and law enforcement, concerned more about the result of these incursions, have developed vigorous and creative public and private sector initiatives aimed at both minimizing the damage caused and collaring the perpetrators.
James Nerlinger, most recently a detective with the Regional Electronics Computer Intelligence Task Force in Cincinnati, cited the rapid arrest made on the author of the "Melissa" virus earlier this year. He noted that one factor facilitating the trace was the analysis of identifiers Microsoft had placed in "Word" documents (which had carried the virus), enabling identification of the originating computer.
However, such traces are not always possible. According to Detective Nerlinger, "If the contaminant is traceable at all—and it frequently is not—law enforcement must rely upon log files maintained by service providers (email and Internet) to trace the suspect. These log files are not maintained forever, if at all. A lack of logs at any point in the trace can and generally will end the investigation." But once a trace is successful and a search warrant obtained, the game is generally over.
And out of some 400 cases (which can range from a simple inquiry from another agency about seizing a cell phone to a multi-agency investigation) over a five year period, he says not one has gone to trial. All the cases that led to charges ultimately pleaded out. Even pre-trial suppression motions were usually withdrawn after the defense attorney was presented with the evidence.
An Upward Response
Justin Tanner Peterson was not a virus coder or spreader. Nevertheless, Peterson's appeal led to the adoption by the 9th Circuit of an application of the federal sentencing guidelines that has alarmed some defense attorneys.
Unlike Morris, Peterson was a career hacker who gained access to computers for financial gain. U.S. v. Petersen, 98 F.3d 502 (9th Cir. 1996 ) affirmed the two level upward adjustment in Petersen's sentence pursuant to U.S.S.G. § 3B1.3 imposed by the trial Court. In pertinent part the guideline provides: "If the defendant abused a position of public or private trust, or used a special skill in a manner that significantly facilitated the commission or concealment of the offense, increase by 2 levels."
The Court had noted that Mr. Peterson's special skill derived from his "extraordinary knowledge of how computers work and how information is stored..." despite also noting that he had no formal education or training in the computer field. According to San Francisco cyber defense lawyer Jennifer Stisa Granick, "It's is going to be the rare case" in which a hacker does not get an upward adjustment in sentence under the Ninth Circuit's interpretation of the special skill language.
All or Nothing
It appears that either a trace runs up against a dead-end and no prosecution results, or the successful trace forces a plea with the prospect of a long sentence.
Would courts offer more latitude in sentencing depending on the computer crime? Or computer criminal? Many Internet professionals are saying that what others call a threat is no more than a bunch of pranksters exploiting the natural human tendency to leave the doors unlocked.
We began by describing a destructive attack by the Oprah Virus, of which at least one virus spreader reported a sighting. The name "Oprah Virus," doesn't appear on Norton's 42,000+ virus definition list. But it does show up on other lists that showcase such virulent infestations as the "Ronald Reagan Virus," which "saves your data, but forgets where it's stored," and the "Joey Buttafucco Virus" that "only attacks minor files."
Whom are we dealing with? Next month, we'll share the emerging profiles of the people behind the viruses.
The Special Skill Standard
Perhaps there is more (or maybe less) to the Ninth Circuit's decision in U.S. v. Peterson than meets the eye. Many times, outcomes depend on unique fact situations or the character of the parties. And Peterson was certainly a character.
In 1989, he gained access to telephone company computers which allowed him, along with two confederates, to utilize a computer program that guaranteed theirs would be the winning phone call to win cash prizes, trips and automobiles.
About a year and a half later, Peterson stole a Porsche; he then moved from California to Texas, where he hacked into a credit reporting firm to obtain credit cards using names picked at random from the telephone directory. He was subsequently arrested and charged with federal crimes.
As part of a plea bargain, he agreed to assist the FBI in obtaining evidence against his two former confederates. According to the narrative in the Appellate decision, "The FBI rented him an apartment with computers, phone lines, and pagers." Peterson's help led to conviction of his former partners. He also helped himself to a few more credit cards while ensconced in that federally subsidized apartment and with the help of his government supplied computer.
When the authorities discovered this, they confronted Peterson, who immediately fled, thus becoming a fugitive. But that's not all folks. According to the dry appellate court account:
"While a fugitive, Petersen hacked into the computers of Heller Financial and obtained the codes necessary to effectuate a wire transfer from Heller to another bank account. On August 17, 1994, Petersen called in two bomb threats to Heller as a distraction. While the building was evacuated, he executed a $150,000 wire transfer from Heller through Mellon Bank into an account at Union Bank. The next day Heller discovered the transfer and managed to seize the $150,000 before it was removed from Union Bank."
After that escapade Peterson was captured again, pled guilty, and was sentenced—finally.
