As cybersecurity pros scramble to respond to one mega-breach after another, industry forums are full of opinions, proposals and pitches for new products and services. But ask whether young hackers who run afoul of the law for the first time should get a break from legal consequences, and an uncomfortable silence may follow.
While some industry leaders may privately agree that young offenders deserve a second chance, few are willing to publicly challenge the overall push for prosecution lest they be seen as tolerating illegal acts that, whatever the motivation, can create havoc for business and government. While initiatives such as the U.S. Cyber Challenge (USCC) seek to draw young IT enthusiasts into information security careers, the teenage temptation to show off or respond to a dare are seemingly inevitable.
“Kids need to be able to screw up,” says a Silicon Valley cybersecurity scientist who asked not be named because of the sensitive nature of the topic. “They're under this enormous pressure to perform, in a society that sometimes seems like it's looking for ways to reject them.”
As a society, he adds, we really don't know how to deal with all the hacking that's going on. “Everybody's getting hit – and the only thing scarier than an expensive problem is a problem that no amount of money seems to solve. The kids sometimes get punished just because they're the few who you can actually catch.”
But just who qualifies as a kid and a hacker is itself disputed. The most high-profile prosecution of a young person under the federal Computer Fraud and Abuse Act (CFAA) was that of Aaron Swartz, the pioneering internet technologist who took his own life in 2013 at age 26 while facing trial on felony charges. Swartz was charged after being caught two years earlier downloading data from the JSTOR academic journal database at the Massachusetts Institute of Technology in order to distribute the materials free of charge. Unlike a teenage vandal who violates the law by rogue penetration testing operation, Swartz, by then a Silicon Valley veteran and an activist for internet privacy and the democratic sharing of information, was making a political statement.
Whether or not Swartz should be considered a hacker, there are many computer-savvy youths who use data breaches to make a political point, says Joe Gallop, head of the hacktivism intelligence practice at iSIGHT Partners, a Dallas-based global intelligence firm. “If one of the hacktivists really feels that they have a responsibility to do civil disobedience in a certain area to achieve a goal, that is their right, and they may actually achieve some good in some cases,” says Gallop, who has studied the hacktivist group Anonymous. He adds that as practitioners of civil disobedience, activists have long argued they “have to be willing to accept consequences.”
The Swartz case became a rallying point for those opposed to prosecutorial overreach in hacking cases, pointing to the fact that the prosecutor who pursued Swartz, assistant United States Attorney Stephen Heymann, was involved in the prosecution of Jonathan James in the TJX credit card scandal when James committed suicide in 2008. James had achieved notoriety a decade earlier when he became the first minor detained in the federal prosecution of a hacking case involving the penetration of NASA and other U.S. government targets.
In another high-profile case, federal prosecutors sought sentences of 440 years for David Hidalgo, a 28-year-old hacker accused of clogging an individual's website with junk text and running unauthorized penetration tests of local government websites. In a deal with prosecutors, Hidalgo agreed to plead guilty to a misdemeanor and pay a fine of $10,000 toward restitution.
Hidalgo's attorney, New York-based Tor Ekeland, sees the case as example of what he called “draconian” federal prosecutorial agenda toward hackers. “The abysmal state of computer law in the U.S. has a chilling effect on innovation,” he says. “If the government had prosecuted the way it does now in the 1970s, you would not have Apple computer, you would not have Microsoft,” he adds. He, of course, is referring to the “phone phreaking” exploits at the beginning of their illustrious careers by Apple founders Steve Jobs and Steve Wosniak and Microsoft founder Bill Gates.
The U.S. Department of Justice did not respond to a request for an interview for this subject. But Marcus Christian, a one-time federal prosecutor in computer fraud cases, says that his former colleagues do, in fact, consider the youthfulness and intentions of young hackers before bringing charges against them.
“Some of the things you look at considering are the history of the person, including criminal history, and the severity of the offense,” says Christian (left), who is now an attorney with the international law firm Mayer Brown. There is an issue of deterrence and an issue for young folks in terms of talent that could be developed by the cybersecurity community, Christian says. Look closer at federal handling of youth hacking cases, he adds, and you will find discretion being used.
However, given the breadth of anti-hacking legislation, discretion under the law may not be sufficient, says Glenn Chisholm, chief technology officer at Cylance, the Irvine, Calif.-based provider of anti-malware products. “The bundling of all crimes involving a computer leads to the inevitable demand that severe punishment be applied in some attempt at creating a deterrent,” Chilsholm says. “Of course, no minor seeking to satiate their intellectual curiosity, without intent, damage or seeking to make a financial gain should be punished as we would an adult. It should be a teachable moment that allows the individual to develop and contribute to society rather than face extended jail time, a damaged future and a massive real cost to society.”
In any event, young hackers do often intentionally break the law for financial gain, sometimes causing significant financial damage. Yet even in those cases, the authorities shouldn't come down on these youthful offenders as if they were adults, says Misha Glenny, a British journalist who specializes in cybersecurit and author of DarkMarket: How Hackers Became the New Mafia.
Young hackers hone their skills before their moral compass is fully formed, Glenny says. “They are often very impressionable at this age and the target of criminals, intelligence agencies and other state and non-state actors who are only too willing to offer them incentives to use their hacking and social engineering capabilities for subversive ends.”
Law enforcement should prioritize rehabilitation of young hackers over prosecution, says Glenny. “Locking them up in severe regimes, which happens regularly in the United States, for example, is simply going to deepen their hostility to the state and push them in the direction of a masters [degree] from the university of crime.”
The most prominent effort to keep young cybersecurity enthusiasts away from online misdeeds is the USCC, a nonprofit organization backed by business and government that seeks to recruit 10,000 young people to cyberdefense jobs. At the USCC camp, young people participate in an ethics panel with the FBI, the Secret Service, (ISC)2 and industry executives. “The campers discuss their motivations and why they are doing what they do,” says Karen Evans (right), USCC national director. Participants get to hear from the cybersecurity community on how their actions may be interpreted.
But the lack of criminal intent by young hackers is no guarantee of escaping prosecution. That's because the CFAA, along with similar state statutes, are written too broadly, says Hanni Fakhoury, a senior staff attorney on the civil liberties team of the Electronic Frontier Foundation (EFF), a San Francisco-based nonprofit organization which advocates for civil liberties.
“Bad people are doing bad things, and they should be prosecuted,” Fakhoury says. “We don't have a problem with that.” The issue, he says, is that people are being charged under CFAA for things such as violating a website's terms of service – as when Missouri native Lori Drew was unsuccessfully prosecuted for using a fake MySpace account in a cyberbullying case that involved the suicide of a 13-year-old. Another controversial CFAA case – United States vs. Nosal, currently before the United States Court of Appeals for the Ninth Circuit – was brought because of an alleged violation of employer-dictated computer policy.
With such broad interpretation of CFAA and similarly written state statutes, young pranksters can find their futures threatened by aggressive prosecutors, Fakhoury says, pointing to the case of Domanik Green, a 14-year-old middle school student in Holiday, Fla., who faced a state felony charge for hacking his teachers' computer and placing a photo on its home screen.
And from the EFF's perspective, those problems could soon get worse, given proposed changes to CFAA that Fakhoury calls “terrible.”
“People are talking about criminal law reform,” he says. “When it comes to the CFAA, the tendency is the opposite – to make it broader and make the penalties harsher.”
Headstart: USCC to the rescue
U.S. Cyber Challenge (USCC) announced the winners of its sixth Annual Delaware Cyber Camp competition. Following a week of intensive classroom instruction on a variety of cybersecurity topics, more than 60 participants competed in a “Capture the Flag” competition on July 24 at Delaware Technical Community College in Dover. Those who came out on top and won the competition include Alyssia Bates, Jon Butler, Rauni Kangas and Tim Plimpton.
“Given events in both the public and private sectors, it is undoubtedly clear to all that we have a long way to go to properly secure our networks and protect the private information of individuals,” said Federal Communications Commission CIO David Bray. “Seeing these individuals competing in the U.S. Cyber Challenge CTF gives me hope that we have the talent and it's just a matter of working with them to get them into the right jobs to help protect our nation and reduce vulnerabilities.”
USCC photo by Prudy Pierson