To avoid prison for cybercrime, stick with mischief

SAN FRANCISCO - Computer hacks that cause more mischief than money losses are often prosecuted by US authorities, but long prison sentences are rare.

The takedown of the US Central Intelligence Agency's website is the most recent example of a mischievous kind of hack. There was no immediate evidence that any sensitive data was compromised when the agency's website went down on Wednesday.

US cybercrime laws apply to attacks regardless of whether there have been data breaches, said Ross Nadel, a former federal prosecutor who specialised in investigating computer crimes.

Even if a hacker does not steal information, a victim need only show that he or she suffered US$5,000 (S$6,200) in damage in a one-year period to trigger prosecution under the Computer Fraud and Abuse Act, he said.

"You can get to US$5,000 just by hiring a lawyer," said Thomas Nolan, a San Jose, California-based attorney who has defended hackers.

Investigating attacks is always difficult for prosecutors. Rather than directly attack a website, hackers often use intermediary computers that have been previously compromised, Nadel said.

But the hacking of the CIA website will likely get an close look. The government usually prioritises high dollar crimes - or those that target government institutions.

"Of course if someone is attacked like the CIA, I would assume that is going to be taken very seriously," Nadel said.

Cyber attacks have targeted multinational companies and institutions in recent weeks, including Sony Corp, Citigroup and the International Monetary Fund. Sony faces dozens of lawsuits related to the theft of consumer data from its Playstation network.

The same hacker group that claimed responsibility for the Sony breach, Lulz Security, said it targeted the CIA website.

The government does go after hackers who do not exact a high financial cost. As with other white-collar crimes, though, the length of any potential prison sentence greatly depends on the severity of financial loss.

An attack that costs millions ramps up federal sentencing guidelines that a defendant faces, while one that is less costly often ends in probation, Nolan said.

Yet, even if hackers don't cause a big financial loss - as in the CIA incident - the government can try to enhance a sentence by arguing that they used "sophisticated means" to carry out the crime, according to a Justice Department manual on cybercrime prosecutions.

The number of victims can also come into play.

"The problem with hacking prosecutions isn't that the sentences are too low, but that the hackers are rarely caught,"said Orin Kerr, a professor at the George Washington University Law School.

Albert Gonzalez, an American who pleaded guilty in connection with the computer hacking of several major US retailers, was sentenced to 20 years in prison last year. More than 40 million credit and debit card numbers were said to have been stolen in the scheme.

But last month, a former contractor for the animal rights group PETA Foundation was sentenced to a year of probation and US$1,400 in restitution for logging into the organization's server from his Los Angeles apartment, according to court papers.

"I was upset that I had been fired," the contractor, Vincent Tocce, said in his plea agreement. He admitted to deleting about 575 video and HTML files that he had previously worked on.

An attorney for Tocce could not be reached.

Federal prosecutors sometimes take tougher stances if it takes more resources to find a suspect, Nolan said.

"The harder it is to find them, the more upset they get, but they don't really do a lot to them in terms of punishment,"he said.