US: tackling 'cyber-crime'

The European Court of Human Rights will consider on Thursday whether to prevent hacker Gary McKinnon’s extradition to the United States. McKinnon is accused of breaking into numerous US government and military computer systems, causing 700,000 dollars of damage in the process -- including bringing down the computer network of a Navy Base for a week. McKinnon admits hacking into the systems but insists he did so without malicious intent (claiming instead that he was looking to find information on UFOs).

His defence hopes to exploit irregularities in the plea bargaining process, in which McKinnon was threatened with a substantially higher jail term if he did not cooperate with prosecutors -- also raising the possibility that McKinnon faced a military tribunal. However, the UK High Court was unsympathetic in a ruling last month, and a European reversal appears unlikely. Even the startlingly downbeat aims of the blog in McKinnon’s support -- “Free Gary McKinnon -- or at least try him in the UK” -- are unlikely to be met.

McKinnon was unlucky in his timing: he was arrested in the more suspicious security climate after the terrorist attacks of 2001 (previous such cases from the 1990s did not lead to prosecution; another, of an Israeli hacker from earlier in 2001, resulted in a local sentence of community service rather than extradition). It seems likely that having expended significant resources to deal with what the Critical Infrastructure Protection Board feared might be “a nation-state or a terrorist group”, the US government wanted to make an example of McKinnon -- wagering that the deterrent effect would be greater than the harm done to public diplomacy from a backlash. Despite attempts by McKinnon’s defence team to mobilise public opinion in his support -- for instance, linking his case to arguments over the asymmetric extradition requirements between the United States and the United Kingdom -- the gamble seems to have paid off, by dint of the obscurity of McKinnon’s alleged crimes.

Yet the case does raise questions about the balance of responsibility for such lapses of security. That the unemployed former systems administrator could have had such access to military systems (looking for blank passwords and other human lapses of security) poses serious questions about the US government’s preparedness then (and, given the human element, now) for cyber-attack. As states develop genuine online warfare capabilities, it will be increasingly important for states to be properly protected. A large ‘denial of service’ attack on US government systems from summer 2007 demonstrates the threat is live -- and the risk is that by claiming cunning individuals, rather than deficient systems, are the main cause of such attacks, governments are downplaying the most serious security problems they face.