Deterring Hackers by Proactive Punitive Measures
The recent arrest of two Israeli nationals in connection with the JPMorgan Chase hacking and stock manipulation in the USA has demonstrated the importance of legislation and punitive measures in response to computer crime
Adv. Admit Ivgi
| 21/09/2015
The recent JPMorgan Chase hacking and stock manipulation in the USA, in the context of which two Israeli nationals were arrested and charged with a series of offenses, including computer offenses for which they may face a maximum sentence of more than 20 years in prison if convicted, demonstrates the trend countries and courts around the globe have followed in the last year (2015) – to severely punish perpetrators of offenses regarded as computer crime.
These days, such computer violations as hacking, stealing of data, defacing, disruption of system operation, manufacture and dissemination of malicious software, Internet fraud, spamming and so forth, have become a daily phenomenon and a part of our routine. These offenses are committed relatively easily and with a minimum (or zero) investment in resources, and the perpetrators behind them are often difficult to spot and apprehend. On the other hand, massive funds and resources are being invested in an attempt to provide protection against such offenses, to detect them and cope with them, and substantial resources are also being invested in an on-going attempt to bring the perpetrators to justice. This asymmetrical problem has led the courts to severely punish perpetrators of computer offenses in the hope that such punitive measures will deter potential “computer criminals” and reduce the scope of this phenomenon.
Malware-Related Legislation
One major computer disaster that occurred in the 2000s made countries aware of the need for legislating and defining computer offenses (something which had not even existed in some countries) and demonstrated the importance of international cooperation. In the 2000s, a malicious computer worm was disseminated as a text file titled “I Love You” and attached to E-Mail messages. This malware stole E-Mail addresses from the user, through which it kept disseminating itself, stole user names and passwords and disrupted and damaged more than 45 million computers worldwide. The damaged parties included the US Pentagon and CIA, the British Parliament and various major corporations. The damage inflicted by this malware worm, worldwide, was estimated at US$ 5.5-5.7 billion, and more than US$ 15 billion were invested in the removal of this worm. For this reason, the incident, which became known as “the ILOVEYOU attack” was regarded as one of the most severe computer disasters in history.
An inquiry conducted in the Philippines pursuant to the complaints of European users found that the malware was being disseminated through a local Internet provider.The authorities in the Philippines managed to trace the malware dissemination source until they reached two local students which they suspected of having created and disseminated the malware. The investigative authority in the Philippines succeeded in proving that the two students had developed the malware and that it was their intention to create that malware in order to damage computers.
At that point it was realized that no statute in the Philippines codex forbade the creation or dissemination of computer malware, hacking of computers and so forth. So, according to the criminal law principle of Nulla poena sine lege (no penalty without a law), the two students had to be released, despite the fact that some of the damage was inflicted on citizens of the USA, which already had legislation forbidding the creation and dissemination of malware and hacking of computers. Owing to the absence of international cooperation in connection with such offenses in those days, the two perpetrators were not extradited to the USA.
Following this incident, the Philippines, along with many other countries around the world, enacted statutes that forbade the creation and dissemination of malware and redefined what “computer offenses” actually were. Additionally, this event led the countries of the world to the realization that international cooperation in computer crime investigations and in bringing the perpetrators to justice regardless of their country of origin was essential in view of the overriding characteristic of computer offenses, which were not bound by physical borders. In fact, since then to this day, many countries regard computer offenses as serious offenses and seek to severely punish perpetrators of such offenses, so as to deter potential computer offenders.
So, for example, the recent JPMorgan Chase hacking and stock manipulation in the USA in July 2015, which is currently unfolding, demonstrates the current policy of various countries with regard to seeking severe punitive measures and the importance of international cooperation: pursuant to a joint investigative effort by the FBI and the Lahav 433 unit of the Israel Police, two Israeli nationals were arrested. They are suspected of having hacked into the bank’s accounts, setting up fictitious accounts, manipulating stock, committing economic fraud using media networks, misrepresentation, spamming, et al.
US law regards economic fraud using media networks as an offense punishable by up to 20 years imprisonment. Accordingly, the indictment served against the suspects in a New York court indicates that the prosecution seeks severe punitive measures by having demanded the maximum sentence for the offenses from the outset. Taking into account the fact that the Israeli defendants were accused of committing other offenses, for which the maximum penalties were demanded, too, they might face a sentence of more than 20 years in prison if they are convicted.
Another example of the severe policy currently maintained by countries with regard to computer offenders, which, in fact, constitutes an unprecedented case in the USA and probably worldwide, is the Ross Ulbricht case. Ulbricht had founded Silk Road, a darknet trading platform which enabled users to anonymously trade in illegal goods and services such as contract killings, narcotics and the like. Ulbricht was convicted of computer hacking, narcotics trafficking, money laundering, attempted murder and other offenses, and was sentenced to life imprisonment without an option for parole.
In June 2015, a Swedish national, Alex Yucel – the owner of the Blackshades malware dissemination group, was convicted by a New York court of manufacturing, selling and disseminating “RAT” – a malicious software enabling its user to remotely dominate an infected computer, spot and collect credit card numbers and bank account user names and passwords, to activate the computer camera, et al. Eventually, Yucel was also convicted of the dissemination of another malicious software, which enables its users to stage Distributed Denial of Service (DDoS) attacks. Yucel was sentenced to 4-3/4 years in prison.
Israeli Computer Legislation
In Israel, unlike the USA, a stricter policy calling for more severe punitive measures for computer offenders is yet to be observed. The Israeli Computer Law defines computer offenses and prescribes a maximum sentence of 5 years in prison for some of those offenses, but in cases already tried, the actual sentences were far less severe than the maximum prescribed by law. So, for example, in the Madonna computer hacking case, in July 2015, pursuant to a plea bargain with the state prosecution, Adi Lederman, the perpetrator, was sentenced to fourteen months in prison and a fine of 15,000 ILS for such offenses as illegally hacking into a computer, violation of privacy and copyright violations.
Lederman had plead guilty to the charge of hacking into the computers of persons associated with Madonna and other international artists and to having illegally copied and sold unpublished music files by those singers/artists. Judge Zahi Uziel reasoned that the sentence was appropriate and sufficiently severe: “The ease at which offenses of the aforesaid kind can be perpetrated and the difficulty associated with any attempt to expose the offenses and the perpetrators necessitate an appropriate punitive response that would send a deterring and uncompromising message.” In this case, too, the spotting and apprehending of Adi Lederman were made possible by the cooperation between the cyber technology unit of Lahav 433 and the FBI.
Another example is the Tapuz portal server hacking in 2008, following which a regular IDF soldier was sentenced to 17 months in prison plus community work, a 1,500 ILS fine and a 10,000 ILS financial pledge to avoid any violation of the Israeli Computer Law for a period of two years. The soldier had hacked into the servers of the Tapuz Internet portal, denying users access to the chat service and blog system. He was charged with disruption or interference with a computer system or computer substance and accessing computer data illegally. The court said, in this matter, that they sentenced the perpetrator to “the punitive measures that mainly face the future and carry a deterring message for others who may consider following in the defendant’s footsteps, either for reasons of ‘mischief’ or for other intentions.”
In conclusion, it seems that “computer offenders” currently face particularly severe punitive measures, and in view of the intensifying and expanding cooperation between countries, the enforcement options are improving and becoming particularly proactive. The USA is setting the bar for those severe punitive measures and it is quite possible that other countries will follow the example.
Admit Ivgi, Attorney-at-Law, owner of the At-Law firm, specializes in technology, cyber and information law. She represents and provides comprehensive legal services to individuals, entrepreneurs and corporations. Adv. Admit Ivgi is a researcher of cyber law at the universities of Tel-Aviv and Haifa and possesses technological experience in the cyber field, among other things, through her work for the RSA Company as an analyst and investigator of Internet fraud.
The recent arrest of two Israeli nationals in connection with the JPMorgan Chase hacking and stock manipulation in the USA has demonstrated the importance of legislation and punitive measures in response to computer crime
The recent JPMorgan Chase hacking and stock manipulation in the USA, in the context of which two Israeli nationals were arrested and charged with a series of offenses, including computer offenses for which they may face a maximum sentence of more than 20 years in prison if convicted, demonstrates the trend countries and courts around the globe have followed in the last year (2015) – to severely punish perpetrators of offenses regarded as computer crime.
These days, such computer violations as hacking, stealing of data, defacing, disruption of system operation, manufacture and dissemination of malicious software, Internet fraud, spamming and so forth, have become a daily phenomenon and a part of our routine. These offenses are committed relatively easily and with a minimum (or zero) investment in resources, and the perpetrators behind them are often difficult to spot and apprehend. On the other hand, massive funds and resources are being invested in an attempt to provide protection against such offenses, to detect them and cope with them, and substantial resources are also being invested in an on-going attempt to bring the perpetrators to justice. This asymmetrical problem has led the courts to severely punish perpetrators of computer offenses in the hope that such punitive measures will deter potential “computer criminals” and reduce the scope of this phenomenon.
Malware-Related Legislation
One major computer disaster that occurred in the 2000s made countries aware of the need for legislating and defining computer offenses (something which had not even existed in some countries) and demonstrated the importance of international cooperation. In the 2000s, a malicious computer worm was disseminated as a text file titled “I Love You” and attached to E-Mail messages. This malware stole E-Mail addresses from the user, through which it kept disseminating itself, stole user names and passwords and disrupted and damaged more than 45 million computers worldwide. The damaged parties included the US Pentagon and CIA, the British Parliament and various major corporations. The damage inflicted by this malware worm, worldwide, was estimated at US$ 5.5-5.7 billion, and more than US$ 15 billion were invested in the removal of this worm. For this reason, the incident, which became known as “the ILOVEYOU attack” was regarded as one of the most severe computer disasters in history.
An inquiry conducted in the Philippines pursuant to the complaints of European users found that the malware was being disseminated through a local Internet provider.The authorities in the Philippines managed to trace the malware dissemination source until they reached two local students which they suspected of having created and disseminated the malware. The investigative authority in the Philippines succeeded in proving that the two students had developed the malware and that it was their intention to create that malware in order to damage computers.
At that point it was realized that no statute in the Philippines codex forbade the creation or dissemination of computer malware, hacking of computers and so forth. So, according to the criminal law principle of Nulla poena sine lege (no penalty without a law), the two students had to be released, despite the fact that some of the damage was inflicted on citizens of the USA, which already had legislation forbidding the creation and dissemination of malware and hacking of computers. Owing to the absence of international cooperation in connection with such offenses in those days, the two perpetrators were not extradited to the USA.
Following this incident, the Philippines, along with many other countries around the world, enacted statutes that forbade the creation and dissemination of malware and redefined what “computer offenses” actually were. Additionally, this event led the countries of the world to the realization that international cooperation in computer crime investigations and in bringing the perpetrators to justice regardless of their country of origin was essential in view of the overriding characteristic of computer offenses, which were not bound by physical borders. In fact, since then to this day, many countries regard computer offenses as serious offenses and seek to severely punish perpetrators of such offenses, so as to deter potential computer offenders.
So, for example, the recent JPMorgan Chase hacking and stock manipulation in the USA in July 2015, which is currently unfolding, demonstrates the current policy of various countries with regard to seeking severe punitive measures and the importance of international cooperation: pursuant to a joint investigative effort by the FBI and the Lahav 433 unit of the Israel Police, two Israeli nationals were arrested. They are suspected of having hacked into the bank’s accounts, setting up fictitious accounts, manipulating stock, committing economic fraud using media networks, misrepresentation, spamming, et al.
US law regards economic fraud using media networks as an offense punishable by up to 20 years imprisonment. Accordingly, the indictment served against the suspects in a New York court indicates that the prosecution seeks severe punitive measures by having demanded the maximum sentence for the offenses from the outset. Taking into account the fact that the Israeli defendants were accused of committing other offenses, for which the maximum penalties were demanded, too, they might face a sentence of more than 20 years in prison if they are convicted.
Another example of the severe policy currently maintained by countries with regard to computer offenders, which, in fact, constitutes an unprecedented case in the USA and probably worldwide, is the Ross Ulbricht case. Ulbricht had founded Silk Road, a darknet trading platform which enabled users to anonymously trade in illegal goods and services such as contract killings, narcotics and the like. Ulbricht was convicted of computer hacking, narcotics trafficking, money laundering, attempted murder and other offenses, and was sentenced to life imprisonment without an option for parole.
In June 2015, a Swedish national, Alex Yucel – the owner of the Blackshades malware dissemination group, was convicted by a New York court of manufacturing, selling and disseminating “RAT” – a malicious software enabling its user to remotely dominate an infected computer, spot and collect credit card numbers and bank account user names and passwords, to activate the computer camera, et al. Eventually, Yucel was also convicted of the dissemination of another malicious software, which enables its users to stage Distributed Denial of Service (DDoS) attacks. Yucel was sentenced to 4-3/4 years in prison.
Israeli Computer Legislation
In Israel, unlike the USA, a stricter policy calling for more severe punitive measures for computer offenders is yet to be observed. The Israeli Computer Law defines computer offenses and prescribes a maximum sentence of 5 years in prison for some of those offenses, but in cases already tried, the actual sentences were far less severe than the maximum prescribed by law. So, for example, in the Madonna computer hacking case, in July 2015, pursuant to a plea bargain with the state prosecution, Adi Lederman, the perpetrator, was sentenced to fourteen months in prison and a fine of 15,000 ILS for such offenses as illegally hacking into a computer, violation of privacy and copyright violations.
Lederman had plead guilty to the charge of hacking into the computers of persons associated with Madonna and other international artists and to having illegally copied and sold unpublished music files by those singers/artists. Judge Zahi Uziel reasoned that the sentence was appropriate and sufficiently severe: “The ease at which offenses of the aforesaid kind can be perpetrated and the difficulty associated with any attempt to expose the offenses and the perpetrators necessitate an appropriate punitive response that would send a deterring and uncompromising message.” In this case, too, the spotting and apprehending of Adi Lederman were made possible by the cooperation between the cyber technology unit of Lahav 433 and the FBI.
Another example is the Tapuz portal server hacking in 2008, following which a regular IDF soldier was sentenced to 17 months in prison plus community work, a 1,500 ILS fine and a 10,000 ILS financial pledge to avoid any violation of the Israeli Computer Law for a period of two years. The soldier had hacked into the servers of the Tapuz Internet portal, denying users access to the chat service and blog system. He was charged with disruption or interference with a computer system or computer substance and accessing computer data illegally. The court said, in this matter, that they sentenced the perpetrator to “the punitive measures that mainly face the future and carry a deterring message for others who may consider following in the defendant’s footsteps, either for reasons of ‘mischief’ or for other intentions.”
In conclusion, it seems that “computer offenders” currently face particularly severe punitive measures, and in view of the intensifying and expanding cooperation between countries, the enforcement options are improving and becoming particularly proactive. The USA is setting the bar for those severe punitive measures and it is quite possible that other countries will follow the example.
Admit Ivgi, Attorney-at-Law, owner of the At-Law firm, specializes in technology, cyber and information law. She represents and provides comprehensive legal services to individuals, entrepreneurs and corporations. Adv. Admit Ivgi is a researcher of cyber law at the universities of Tel-Aviv and Haifa and possesses technological experience in the cyber field, among other things, through her work for the RSA Company as an analyst and investigator of Internet fraud.
