I am no fan of the people who launch these attacks -- calling them "scum" offends the ordinary scum populating our communities -- but greater than my desire to see them suffer is my desire to reduce the number of attacks. I don't think that a harsh sentence such as Krebs advocates would have done that. What is the answer, then? Prevention.
IT and law enforcement have to focus more on making cyberattacks ineffective and far more time-consuming and expensive. On the IT side, data breaches and payment fraud are already being dealt with, and the sooner the industry sees security as essential and not merely an inconvenience, the better. Time and again, I run into payments companies, mobile players and retailers that dilute security for the sake of shopper convenience. That kind of mind-set deprives those companies of the right to complain when they get hit by fraud. If you choose to weaken security, you have to pay the price.
As for law enforcement, some of the offenses of the 17-year-old were calling in bomb threats and swats (calling police to falsely report a crime, with the sole objective of embarrassing, inconveniencing and harassing someone). Law enforcement must respond to such calls, but commonsense due diligence is often skipped. It can't be. Swatting, with real-life SWAT teams, could easily lead to death if something goes wrong.
I'm reminded of my interactions with one of the earliest famed cybercriminals, namely Robert Tappen Morris. His claim to fame is that he created the Morris Worm, way back in 1988. He was the first person convicted of the Computer Fraud and Abuse Act, following a three-week trial in Syracuse, N.Y., that I covered.
Morris, a graduate of Harvard and a Cornell grad student at the time, was also the son of the National Security Agency's chief scientist. He unleashed his worm specifically to prove the security weaknesses of the Internet. He hadn't intended to crash the Internet, but he made a math error that caused the worm to replicate out of control.
IT people all over the world called for his head, but the federal judge gave Morris probation. Having observed him for weeks, I thought the sentence was just; I saw no sense in sending Morris away to prison. Morris today is a tenured MIT professor and a partner in Y Combinator and other ventures. Nearly 25 years ago, he did something very stupid, but he had a noble goal: to make everyone aware of the Internet's security holes so that they would fix them.
Julius Kivimäki had no such noble goal. But the issue is the same. If the point of sentencing in such cases is to reduce cyberattacks, prison isn't the answer. Vengeance has its place, but I'd rather prevent attacks than imprison teens.
Sign up for CIO Asia eNewsletters.