Crime and punishment: Harsh fate for accused LulzSec hackers?

Harsh sentencing guidelines have failed to deter hackers, but prosecutors are likely to make examples of those arrested in the Anonymous-related hacking cases.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
5 min read
LulzSec / Composite illustration by James Martin/CNET

The Anonymous defendants arrested last month for allegedly breaking into corporate networks, stealing data, and defacing Web sites as part of LulzSec are likely to have an extended vacation at Club Fed, experts say.

With well-known victims like Sony, Fox Broadcasting, and the FBI, prosecutors will want to make examples of those arrested in the Anonymous-related hacking cases in the hopes that it will send a message to others.

"I believe they will (get harsh treatment)," Michael Bachmann, assistant professor of criminal justice at Texas Christian University, told CNET in a recent interview.

Like Kevin Mitnick, who was indicted on 25 hacking and other counts and served five years in prison in the late 1990s, they are high-profile cases and they embarrassed law enforcement. They "will most likely be used as a deterrent for other illegal hackers who appear to be generally undeterred by law enforcement efforts," Bachmann said.

Take Hector Xavier Monsegur, also known as "Sabu," who pleaded guilty in August to 12 counts of computer hacking, conspiracy, bank fraud, and other charges. Prosecutors depicted him as a key figure in the LulzSec and AntiSec groups, which took credit for hacking into corporate and government networks and sites, stealing and publishing sensitive data from those networks, hijacking victims' e-mail and Twitter accounts, and defacing Web sites. His sentencing is scheduled for August 22, a Justice Department spokeswoman said today.

"With the act of unauthorized access and the theft of information, it doesn't matter what the motivations are," said Marcus Sachs, former White House adviser on cybersecurity. "It's still the same crime and should be prosecuted to the full extent of the law."

How sentencing works

Although the guidelines are advisory, judges do tend to follow them. Different factors -- such as financial loss and cost to restore the integrity of a compromised system, as well as prior criminal record, role as ringleader, and whether the defendant accepts responsibility -- are considered in determining the sentence, said Dayle Carlson, a sentencing consultant who used to be a federal probation officer.

The sentence is calculated with the help of a grid (PDF) that includes various levels of seriousness of the offense, from the lowest, Level 1, to Level 43, as well as six categories, starting with Category 1 for people with no prior record. If someone agrees to plead guilty, there is a three-level reduction and cooperators are released from the guideline range, according to Carlson. For example, a Level 24, Category 1 case calls for a sentence of between four years and just over five years.

"So there are no inconsequential penalties. If we start there and enter a guilty plea, then the guideline range would be 37 to 46 months," Carlson said. "Federal sentences are pretty harsh. We're looking at 51 months to 63 months without acceptance of responsibility."

With one count of violating the Computer Fraud and Abuse Act having a maximum of one year and/or a $100,000 fine for the first offense, up to 10 years for subsequent convictions and 20 years for repeat offenders, the prison time for hacking can add up. While Monsegur's 124-year maximum sentence will no doubt be reduced for entering a plea deal and serving as an informant, he still faces at least two years.

Sentencing guideline ranges are a more accurate reflection of the potential sentence than the maximum penalty, which tends to be much higher, because they include factors from the specific case that can raise or lower the sentence and because sentences on different counts can be served concurrently rather than consecutively. His alleged cohorts are charged with one to three counts ranging from five to 10 years maximum prison time per count, according to the Justice Department.

But so far, increasing penalties hasn't done much to deter criminals.

LulzSec's brazen actions and taunting of law enforcement certainly won't endear the accused to prosecutors. Hacktivism has historically been seen as akin to online graffiti or criminal mischief intended to further a political agenda and generate bragging rights, Bachmann said. But LulzSec has changed that perception, he added.

Things have only gotten worse for arrested hackers since Mitnick's day.

"The federal system is so stacked against the defendant that many people will take a plea agreement" to avoid having judges consider conduct a defendant was acquitted of when determining sentencing, Mitnick said. "That's why most federal hacking cases are settled. Prosecutors will try to get as much time out of defendants as they possibly can."

With alleged Anonymous and LulzSec members, "the government is angry because the FBI can't control these hackers," he added. "So now the Department of Justice will come down harder on these guys for hacking. It's a bad time politically to be busted for hacking. The FBI doesn't have a sense of humor. I learned that first-hand."

The societal threat posed by criminal hackers and cybercriminals in general has grown significantly in the last decade and the penalties for hacking have increased to reflect that, Bachmann said. "I do not believe that the sentences will be any milder than those handed out for financially motivated crimes," he said. "I believe that the sentences will be stiff because the sentences given within the vast range of punishments -- between one and 10 years per count -- are determined by factors such as whether the defendant acted with forethought, used more than minimal planning, or used special skills, all three almost a given for hacking offenses."

Under new legislation, the character and personal characteristics of a defendant, such as age, maturity, education level, and motive, play only a secondary role, according to Bachmann.

"When there is no pecuniary gain and it's done for ideological purposes, depending on the judge, that can cut both ways in my experience," said Carlson. "A judge may see these kids as idealistic and as having learned their lessons, or as committed Internet terrorists who are fundamentally not going to change their ways and need to be locked up to secure computer networks."

The harsher sentencing guidelines are designed to serve as a deterrent, but Bachmann questioned their efficacy because of the perception that there is only a small chance of getting arrested. Indeed, Jennifer Granick, who has represented hackers in court, notes that there haven't been a lot of hacking prosecutions overall. "They just don't catch people very much," she said. "And the people they have caught were engaged in credit card fraud."

There are myriad ways for hackers to hide their tracks and subterfuge is the norm. Sometimes the police catch a lucky break, such as noticing a rare glimpse of the Internet Protocol address of Monsegur's computer when he failed to cloak it during a chat room log-in. But more hackers are arrested when their partners in crime snitch, like Monsegur did.

"The degree of anonymity granted by the Internet diminishes the chances of getting caught and every semi-skilled criminal hacker knows how slim the chances of being arrested and convicted are," Bachmann said. "Without any certainty of arrest and punishment, there will be no deterrence."