Restitution for Hacks

I wrote earlier about a recent decision on computer fraud related to ATMs. I did a little history reading to jog my memory and see if I could figure out what about the case sounded familiar. I found Section 6-1 of my HP-UX System Security Manual, from October of 1989, with the following warning:

The U.S. Computer Security Act of 1987 casts new urgency on computer security in all business segments. It stipulates that if financial loss occurs due to computer fraud or abuse, the company, not the perpetrator, is liable for damages. Thus, ultimate responsibility for safeguarding information lies with individual businesses themselves.

Ronald Reagan’s Computer Security Act (CSA) was repealed by FISMA in 2002. Could it be relevant to today’s attacks?

The CSA was a reaction to the news of computer attacks in the early 1980s, especially by seven teenagers from Milwaukee. An eager Congressman from Kansas (Glickman) called House hearings that pointed out attacks were successful mostly because of weak and default passwords as well as of missing patches.

Here’s an amusing excerpt from InfoWorld in 1983:

…the FBI had implied that [a perpetrator] had violated the law when he sent electronic mail on the Telenet network. “We weren’t even aware that using the [stolen] passwords was illegal” he said.”

Obviously attacks have not changed much. What really has changed is restitution.

The major difference from pre-CSA regulation to today seems to have more to do with the liability of an attacker to pay for restitution than with any radical shift in system vulnerabilities.

Note the details in a case earlier this year. A man in New Hampshire was set to pay restitution of more than $2 million and forfeit another $8 million after running a four-year malware operation.

PALA and his co-conspirators infected German citizens’ computers with a program that would force the computers’ telephone modems to surreptitiously dial premium telephone numbers rented from German telephone companies by PALA’s co-conspirators. …from 2003 through 2007, PALA made approximately $7,941,336 from the computer hacking conspiracy. PALA also allegedly failed to pay approximately $2,287,993 in income taxes during this time.

Modems? He was expected to pay a hefty restitution to the IRS for undeclared profits from (unauthorised) dial-up fees.

Another interesting restitution case earlier this year was in Massachusetts, where a prisoner hacked the common computers and then was ordered to pay to protect the identity of other inmates.

Souter conceded that individual current and former employees could have paid for their own credit monitoring when they learned of the hacking, “but this in no way diminishes the reasonableness of the Facility’s investigation prompted by the risk that its security failure created.”

[Retired U.S. Supreme Court Associate Justice David] Souter rejected Janosko’s timeliness argument. “An employer-victim contemplating the resolution of a charge like the one here could be expected to press the prosecutor to demand any terms that would be necessary to make the members of the employer’s workforce whole, and a credit check even up to the moment of a plea agreement would therefore be timely,” he wrote.

The BofA case thus fits the trend of ordering a hefty restitution award from perpetrators. Unlike the time of the CSA the laws now seem headed towards large recovery awards, which some argue are disincentives to attackers. Hopefully the restitutions will not prematurely reduce the pressure to enhance technical controls.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.