On the soapbox

Security

firms, software developers, financial institutions, and government

agencies should decided to hire or fire cyberoffenders on a

case-by-case basis. Is an applicant who gained or attempted to gain

unauthorized computer access more or less dangerous than an individual

convicted of any other crime? It depends. IT hiring managers must

consider each applicant on his or her case’s individual merits and bear

in mind poorly written cybercrime laws, one-time indiscretions, and the

impracticality of an absolute ban on cybercriminal hiring.

Daniel Cuthbert is a cybercriminal. On Thursday, October 7, 2005, a British court found him guilty

of violating the Computer Misuse Act of 1990. On Dec. 31, 2004, added

“../../../” to the URL of a Web site soliciting donations for Asian

tsunami victims in an attempt to access the site’s higher directories.

Cuthbert claimed he donated to the Web site and later became concerned

that he’d fallen victim to a phishing scam. Cuthbert was fined about

$700 and required to pay about $1,050 for costs.

Cuthbert’s conviction underscores the problem created by outdated or

poorly written cybercrime laws. Cuthbert had a clean criminal

background and worked for a reputable financial institution. He didn’t

install a spider, attempt to crack a password-protected system, or try

a social engineering attack. The trial judge agreed that Cuthbert did

not intend to cause harm through his actions. The judge also deeply

regretted finding Cuthbert guilty.

The Computer Misuse Act of 1990 classifies “unauthorized access to

computer material” as an offense regardless of the accused intent to

cause damage. While I agree it’s a good idea to classify unauthorized

“browsing” as criminal, I find it difficult to catalog Cuthbert’s URL

manipulation as inherently wrong. What happens if an unsuspecting user

incorrectly enters an URL and strays onto propriety information? This

activity would be classified as criminal by the Computer Misuse Act.

In the physical world, most individuals understand the boundaries

between public and private space. We see a house’s front door, knock

and, if it’s locked, leave. Reasonable individuals understand why

picking the lock and entering the house without cause constitutes a

criminal act. In cyberspace, the barriers aren’t so clear. The lack of

adequate cybercrime case law makes the accurate wording of cybercrime

statutes critical for effective enforcement. I would equate Cuthbert’s

manipulation of the Web site URL with knocking on the front door.

Unfortunately, Cuthbert’s lawyers made this argument during trial and

failed.

Luckily, computer security firm Corsaire, Cuthbert’s current employer, has taken a sensible view of the situation and chosen to keep Cuthbert as an employee. I applaud Corsaire for choosing to look past Cuthbert’s conviction and consider the situation’s mitigating factors.

Let me be absolutely clear: I’m not advocating that organizations

hire unrepentant virus propagators, spammers, phishers, or other

organized computer thieves. All governments should arrest and prosecute

hardened cybercrimnals to the fullest extent of the law. I also believe

convicted criminals should face sentences commensurate with their

crimes. I do propose however, that IT hiring managers make a pragmatic,

case-by-case evaluation of past criminal history–cyber or otherwise.

Want to keep up with who’s “On the Soapbox” each week? Use this link to automatically subscribe to the Blog Roundup Newsletter and have it delivered directly to your Inbox every Wednesday.