firms, software developers, financial institutions, and government
agencies should decided to hire or fire cyberoffenders on a
case-by-case basis. Is an applicant who gained or attempted to gain
unauthorized computer access more or less dangerous than an individual
convicted of any other crime? It depends. IT hiring managers must
consider each applicant on his or her case’s individual merits and bear
in mind poorly written cybercrime laws, one-time indiscretions, and the
impracticality of an absolute ban on cybercriminal hiring.
Daniel Cuthbert is a cybercriminal. On Thursday, October 7, 2005, a British court found him guilty
of violating the Computer Misuse Act of 1990. On Dec. 31, 2004, added
“../../../” to the URL of a Web site soliciting donations for Asian
tsunami victims in an attempt to access the site’s higher directories.
Cuthbert claimed he donated to the Web site and later became concerned
that he’d fallen victim to a phishing scam. Cuthbert was fined about
$700 and required to pay about $1,050 for costs.
Cuthbert’s conviction underscores the problem created by outdated or
poorly written cybercrime laws. Cuthbert had a clean criminal
background and worked for a reputable financial institution. He didn’t
install a spider, attempt to crack a password-protected system, or try
a social engineering attack. The trial judge agreed that Cuthbert did
not intend to cause harm through his actions. The judge also deeply
regretted finding Cuthbert guilty.
The Computer Misuse Act of 1990 classifies “unauthorized access to
computer material” as an offense regardless of the accused intent to
cause damage. While I agree it’s a good idea to classify unauthorized
“browsing” as criminal, I find it difficult to catalog Cuthbert’s URL
manipulation as inherently wrong. What happens if an unsuspecting user
incorrectly enters an URL and strays onto propriety information? This
activity would be classified as criminal by the Computer Misuse Act.
In the physical world, most individuals understand the boundaries
between public and private space. We see a house’s front door, knock
and, if it’s locked, leave. Reasonable individuals understand why
picking the lock and entering the house without cause constitutes a
criminal act. In cyberspace, the barriers aren’t so clear. The lack of
adequate cybercrime case law makes the accurate wording of cybercrime
statutes critical for effective enforcement. I would equate Cuthbert’s
manipulation of the Web site URL with knocking on the front door.
Unfortunately, Cuthbert’s lawyers made this argument during trial and
Luckily, computer security firm Corsaire, Cuthbert’s current employer, has taken a sensible view of the situation and chosen to keep Cuthbert as an employee. I applaud Corsaire for choosing to look past Cuthbert’s conviction and consider the situation’s mitigating factors.
Let me be absolutely clear: I’m not advocating that organizations
hire unrepentant virus propagators, spammers, phishers, or other
organized computer thieves. All governments should arrest and prosecute
hardened cybercrimnals to the fullest extent of the law. I also believe
convicted criminals should face sentences commensurate with their
crimes. I do propose however, that IT hiring managers make a pragmatic,
case-by-case evaluation of past criminal history–cyber or otherwise.
Want to keep up with who’s “On the Soapbox” each week? Use this link to automatically subscribe to the Blog Roundup Newsletter and have it delivered directly to your Inbox every Wednesday.