Security threats Toolkit

Punishment fails to fit the cybercrime

Declan McCullagh CNET News

Published: 19 Aug 2004 10:35 BST

Jeffrey Lee Parson pleaded guilty last week to unleashing part of the MSBlast worm attack that wreaked havoc on the Internet a year ago. He got off easy.

Federal prosecutors predictably touted Parson's guilty plea as an example for other would-be vandals. John McKay, the US Attorney for Seattle, proclaimed: "The damage to individual computer users is very real, and the penalties are also very real."

Not really. McKay neglected to mention that Parson's all-expense-paid visit to Club Fed will be surprisingly brief. Prosecutors say that the deal they cut means that Parson, who is 19 years old, will be sentenced to between 18 and 37 months.

That's mild punishment for someone who admitted to inserting nasty features into the original version of MSBlast to make it more noxious. By releasing his "MSBlast.B" variant that took advantage of a bug in Microsoft Windows, Parson intentionally harmed tens of thousands of people for his own amusement.

Compare Parson's sentence with the far stiffer penalties that the government metes out to marijuana "criminals," who harm nobody and cause no property damage. For the 2001 fiscal year, the average sentence for a marijuana offence was 38 months in prison, according to the Office of National Drug Control Policy.

Parson could be serving more time if he had simply stolen a neighbour's car on a whim. The average federal sentence for motor vehicle theft in 2000 was 28 months, the US Justice Department reports. Aggravated assault is punished with an average sentence of 33 months.

If prosecutors took real computer crimes seriously, might that deter future worm attacks? Consider that federal law says the maximum penalty for the offences listed in Parson's arrest warrant is at least 30 years.

Few caught, fewer go to prison
Light sentences for worm and virus writers is hardly a new phenomenon. In 1988, a Cornell University graduate student named Robert T. Morris released the first Internet worm -- and was eventually sentenced to three years' probation, 400 hours of community service and a $10,000 (£5,484) fine.

Morris probably didn't deserve a harsher sentence. He never meant for his worm to spread so quickly that it became a worldwide menace (a programming error, not malice, made that happen). Today's generation of so-called script kiddies have no excuse: their handiwork is carefully crafted to be both disruptive and destructive.