How much jail time will a serial cybercriminal serve?
The answer, for someone who committed those crimes while living in Finland - and who was considered a "child" at the time - can be "none at all."
If a child can disrupt Sony and Microsoft, our security standards are arguably not good enough. Of course, that's no excuse for bad behavior.
Julius Kivimaki, a 17-year-old hacker found guilty of 50,700 "instances of aggravated computer break-ins," will spend no time in jail. He was convicted of a range of crimes, from committing data breaches and online harassment to fraud and money laundering, reports Finnish newspaper Kaleva.
Kivimaki's activities disrupted systems at Harvard and the Massachusetts Institute of Technology, blocked traffic to websites, led to the theft of payment card data, and included a breach of database hosting provider MongoHQ, the BBC reports.
But despite those crimes, the District Court of Espoo sentenced Kivimaki - a.k.a. "Zeekill," "Ryan" - to a two-year suspended prison sentence, confiscated his PC, and ordered him to forfeit €6,588 ($7,276) worth of property obtained through his crimes, according to the BBC and Finnish media outlets. He also must submit to monitoring of his online activities
Judge Wilhelm Norrmann emphasized that Kivimaki was only 15 and 16 when he carried out the crimes in 2012 and 2013. "[The verdict] took into account the young age of the defendant at the time, his capacity to understand the harmfulness of the crimes, and the fact that he had been imprisoned for about a month during the pre-trial investigation," according to a statement released by the court, the BBC reports.
But Kivimaki was also a member of the notorious distributed denial-of-service attack gang Lizard Squad, security blogger Brian Krebs first reported in December 2014. The BBC reports, however, that the name of the group was not mentioned by the District Court of Espoo.
Lizard Squad claimed credit for the 2014 Christmas day DDoS disruption of Sony's PlayStation and Microsoft's Xbox Live networks as a way to advertise its new "Lizard Stresser" DDoS-for-hire service (see PlayStation, Xbox Disruptions Continue). "We did it mostly to raise awareness, to amuse ourselves," a Lizard Squad member named as "Ryan" told U.K.'s Sky News in a video interview. Multiple security experts, however, have said that Ryan was, in fact, Kivimaki.
Bigger Picture Questions
The suspended sentence against Kivimaki should not be not surprising. Under Finland's child protection act, anyone under the age of 18 is legally a "child."
That fact should raise questions about our collective information security infrastructure. If a child can disrupt Sony and Microsoft, our security standards are arguably not good enough. Of course, that's no excuse for bad behavior.
In the U.S., federal prosecutors have often used the 1986 Computer Fraud and Abuse Act to throw the book at anyone accused of any crime that involves computers (see The Myth of Cybercrime Deterrence).
The result is prosecutors slamming Reddit co-creator and activist Aaron Swartz in 2011 with 13 felony charges - including wire fraud, "recklessly damaging" a computer, and unauthorized access - and the prospect of serving up to 35 years in prison after he allegedly downloaded millions of academic articles from the JSTOR academic database, using MIT's network. JSTOR requested that prosecutors drop the charges. Ultimately, 26-year-old Swartz committed suicide.
In 2013, meanwhile, activist Jeremy Hammond was convicted of hacking into and leaking data from private intelligence firm Stratfor and received a 10-year sentence.
Recently, security expert Robert David Graham questioned the sentence imposed by a judge on Silk Road creator Ross Ulbricht, who was found guilty of creating a website that enabled $200 million worth of illegal narcotics to be sold. Graham notes that the judge in Ulbricht's case imposed five sentences, two for life - far beyond what prosecutors had requested - in part because of Ulbricht's stated political beliefs that illegal narcotics should be decriminalized.
"I think the war on drugs has made us numb, since so many people get extreme punishments," Graham says.
Europe: Shorter Sentences
Compared to sentences issued by the U.S. justice system, many European sentences are shorter, thus placing a greater focus on rehabilitation. That is well-demonstrated by the U.K. arrests that followed LulzSec's 50-day hacking campaign in the summer of 2011.
Former LulzSec member Jake "topiary" Davis was 18 when he was arrested, and sentenced to 24 months in a young offenders institute, although he had been electronically tagged for 21 months prior to that, counting toward his sentencing and leaving him with just 38 days to serve. Fellow former LulzSec member Mustafa "tflow" Al-Bassam, who was 16 when he participated in the group's attacks, received a 20-month suspended sentence and 300 hours of community service. Again, both of them were arrested and charged in the United Kingdom.
Dealing with Cybercrime
One exception to the U.S. sentencing paradigm can be when a cybercrime suspect is in a position to help authorities. For example, 28-year-old former Lulzsec mastermind Hector "Sabu" Monsegur walked away in 2014 with time served, plus one year of probation, after assisting the FBI for three years.
Former LulzSec participant Davis says the takeaway for anyone convicted of computer crimes will be to ask their attorney: "Can you get me a deal like Sabu?"
But focusing on deals and rehabilitation is smart. Irish cyberpsychology expert Grainne Kirwan has found that kids tend to naturally "age out" of cybercrime as they grow up and get responsibilities, such as the need to start supporting their own children. That fact highlights that youthful cybercrime transgressions are often just that - bad things people do when they're young.