What kind of punishment should cyber criminals face? This is a question without a clear answer. After all, in the global history of crime, cyber crime is a relatively new thing, with the first instances of cyber crime not emerging until the 1970s. And just as virtual crime itself is new, so is the idea of punishing it. But those ideas are evolving. And these days, one thing is clear: While cyber crime itself might transpire in the virtual realm, punishments for those who carry it out are very real.
U.K. legislation raises eyebrows
When we think of the kinds of criminal infractions that could earn you a lifetime behind bars, cyber crimes probably aren't the first to come to mind. But if the U.K. has anything to say about it, that perception may soon be changing. As SC Magazine reported, U.K. lawmakers recently passed an amendment to the country's preexisting Computer Misuse Act. The amendment states that a person who knowingly commits a cyber crime that poses "serious damage" to "human welfare or to national security" can now earn a one-way ticket to the slammer.
But as the SC Magazine article pointed out, the text of the amendment leaves a whole lot of room for debate. After all, what exactly constitutes "serious damage" to welfare or security? The broad nature of the amendment could likely end up working against cyber criminals, as hackers are made to answer to a whole host of virtual infractions with an increasingly stiff batch of penalties. However, it is difficult to be sympathetic to hackers as far as penalties are concerned, when one can easily make the argument that they've brought it on themselves.
Hacking as an evolving criminal process
One reason it may be shocking for readers to register that a life sentence for cyber crime is now possible is because many people's vision of a hacker is colored by an outmoded representation. Matthew Broderick's mischievously playful performance in 1983's War Games, for example, emerged as one of the first cinematic archetypes of the modern hacker. In that film, Broderick's character was a reckless computer whiz who hacked for fun. The conceit of the film is that Broderick's idea of fun has some rather disastrous (and unintentional) potential global consequences, but even with those repercussions on the table, Broderick's character still gets off with a slap on the wrist.
That's because, as the film makes clear, there's no malicious intent to Broderick's character. He wasn't hacking to bring the world to the brink of nuclear conflict – he was hacking just for the fun of it. For a while, the Hollywood-painted image of the computer hacker – that of a curious tech geek whose exploits led to unintended consequences – was very much a reflection of the real world. Robert Morris, for instance – the man who lent his name to the Internet's inaugural worm – was hardly a criminal mastermind, but instead a Cornell graduate student. Morris didn't make the worm for criminal gains – instead, he made it to see how big the Internet was. Yet his worm spiraled out of control, causing untold thousands of dollars in damages. Ultimately, Morris was made to answer for his actions, but his punishment came in the form of probation and a fine. There's a huge difference between that and a lifetime behind bars.
But then again, there's a huge difference between Morris and the cyber criminals operating today. The potential of virtual criminals to cause real – and devastating – damage was brought starkly to light recently in the trial of Silk Road founder Ross Ulbricht. For two years, Silk Road provided its online users with a malicious treasure trove of illicit goods. With Ulbricht helming the operation, the website trafficked in drugs and guns, using virtual currency so its users and owners could evade detection.
Yet what's scariest about Silk Road isn't the site itself, but what went on behind the scenes. During Ulbricht's trial, prosecutors produced a shocking piece of evidence: online chat transcripts proving that Ulbricht attempted to solicit the assassination of five rivals. This moment – where human lives hang in the balance – is precisely the instance when virtual crime and regular crime become irretrievably blurred. What is the difference between a cyber criminal and a ruthless drug lord? As the Ulbricht trial proved, sometimes there's no difference at all. Ulbricht occupied both roles at the same time.
Facing the music
Punishment serves a dual purpose: It holds guilty individuals accountable, and it deters others from making the same mistakes. It's this principle that underlies Ulbricht's sentencing. As WIRED pointed out, prosecutors in the Ulbricht trial recently issued a letter to the sentencing judge requesting "a lengthy sentence, one substantially above the mandatory minimum." The prosecution stated its reasoning as follows: "Ulbricht's conviction is the first of its kind, and his sentencing is being closely watched … The Court thus has an opportunity to send a clear message to anyone tempted to follow his example that the operation of these illegal enterprises comes with severe consequences."
With the relative newness of cyber crime, the jury is literally still out on exactly how harshly hackers will pay for their crimes. As of now, for instance, there's not a mandatory minimum sentence for hackers the way there is for, say, drug trafficking in certain states. But such measures will surely emerge as more cyber criminals are brought before courts.
Back in 2000, a report issued by McConnell International found that "the laws of most countries do not clearly prohibit cyber crimes." We've certainly come a long way since then, but the road to punishing cyber crime is still filled with complexity and questions. One of these questions revolves around what exactly constitutes a cyber crime. In the case of the late Reddit founder Aaron Swartz, for instance, Swartz – who committed suicide before sentencing – was facing 35 years in prison for stealing millions of academic documents from MIT, an act that many argued was hardly crime enough to justify the potential punishment. When it comes to cyber crime and punishment, deciding what is crime enough is a chief order of business.