As a mathemetician, I enjoy law and economics, and I have been
dealing a great deal with hackers lately, but I was still shocked to
see this op-ed, "Worse
Than Death," in the New York Times this morning lobbying for
harsher punishments for hackers. I am not even sure if his call for
the death penalty for a German worm writer is a joke. (more...)
Tierney’s article draws its thesis from this article by Steven
Landsburg, an Economics Professor at the University of Rochester. In
this article, he compares the economic damage of murderers and virus,
worm, and Trojan writers and concludes that the death penalty would
deter even more and the justice system would be able to “supply
protections that, for one reason or another, we can't purchase in the
marketplace. Those governments perform best when they supply the
protections we value most.” I will ignore the bait of the moral
argument from the end of the article and stick the important issue at
hand: the economics of hacking.
Problem is we can buy protection
from viruses and worms. It may even be more effective than buying
protection against murder. It is certainly cheaper than living in a
nice neighborhood or hiring a bodyguard. Make no mistake, it is being
bought by all kinds of people. Maybe we should just let the market fix
it and buy better software.
Better yet, isn’t the least cost avoider the one who made the
security hole in the first place? Why not just impose product
liability on software vendors? Why isn’t Sasser Microsoft’s fault? If
they have to pay me, they’ll clean up their act real quick! Caveat: I
am in no
way actually supportive of strict product liability for software
(though perhaps liability for failing to patch within a reasonable time
in some circumstances, but that is an entirely different issue). I
offer this alternative to wonder why an economist would look to the
virus-writing kids for rational economic behavior and not the
corporations of responsible people.
Lovebug, a nasty email virus traced to the Phillippines that sent
itself to everyone in your Outlook address book, is still around. Its
author was never
charged and never apologized. I doubt that his lack of punishment
inspired future virus writers around the globe to continue without care
in their endeavors. In fact this story echoes that of the very first
worm, unleashed in 1988 by Robert T. Morris. It was an accident.
Regardless, Morris was convicted of violating the Computer Fraud and
Abuse Act, and sentenced to three years of probation, 400 hours of
community service, and a fine of $10,050.
Tierney transforms the worm, virus, and Trojan writers into "hackers."
This category is far too broad. It includes some people much, much
nastier than our young worm writer, like "the Russian hackers," Gorshkov and Ivanov
(sentenced to 36 and 48 months in jail, respectively) who exploited
security holes to steal credit card numbers and blackmail businesses.
It includes some people much less nasty, like Robert Lyttle, who
exploited a Department of Defense security hole to help, to let them
know about it. It includes anyone accessing his New York Times
op-ed with a stolen password. All hackers the US has charged in
the last seven years are on this page. Yes, that’s
all.
I suggest that Sven Jaschan, the German teenager who admitted to
writing the Sasser worm, was thinking of none of these people when he
discovered a Windows security flaw and wrote a few lines of code.
People like Gorshkov and Ivanov, who are just criminal fraudsters using
a new medium, can be deterred. Their actions are more economic; they
actually have a cost-benefit analysis. Deterring hackers with no
financial gain is trickier.
First, the economics scale poorly. Jaschan happened to be a phenomenal
virus writer who
was responsible for over 70% of viruses in the first half of 2004. However, the person deterred
by his execution might
have been a petty virus writer. That is, to deter less than one percent
of viruses doesn't make much sense because virtually all damage comes
from a handful of viruses.
Do you stop one percent of virus writers, ending up with radically
different results? Or do you stop a weak virus?
Do you keep a writer like Jaschan from sending out one variation?
Second, the drive to do these things is not in numbers. It is not an
equation so easily written out by
Professor Landsburg. The rage Tierney expresses in "man-years I've
spent running virus scans
and reformatting hard drives," something no self-respecting elite would
say, only adds to how cool this behavior is. Think of Mitnick. He
went to jail for years. And his plea agreement kept him from using
computers for another three. And his plea agreement still blocks him
from making money off his crimes, hence no book deal just yet. Does
that matter? Mitnick’s name lives on, and people are still hiring him
to do things with their systems.
It is frustrating that ex-hackers can gain fame and lucrative employment. Unethical lawyers and doctors never practice again. Hackers have job security and notoriety. I am not sure whether the solution would have been to never let Mitnick use a computer again. It probably wouldn't have changed his behavior, but I suppose it might have changed
someone else's. I certainly don’t think the answer would
have been executing Mitnick. Even if Mitnick had been put to death, he
would still be an icon of cool. In fact, then he would have been a cool martyr. The punishment will not change the culture, the strange sub-culture of elite computer experts who admire having the kind of power Mitnick once did.
As for Sasser worm, law enforcement seems to have done
amazingly. They caught the right guy quickly and charged him with
relevant laws, things that would have been much more difficult if not
impossible a few years ago. That shows investigations and law have both come a long way. Microsoft was doing well too, having
released a patch for the
security problem months before. The problem was lazy, ill-prepared
businesses who refused to police their own systems and a group of kids
who thought it was cool to use their power for evil. Should we execute
all of them too?