Two UK men were sentenced to jail last week for their involvement in launching distributed denial of service (DDoS) attacks on several websites, the most notable of which was that of PayPal. The attacks were part of “Operation Payback”, coordinated by Anonymous and started as a general protest against organisations that were involved with enforcing copyright. The operation was later extended to involve PayPal, Mastercard and Visa over their roles in blocking donations to WikiLeaks.
The men, Christopher Weatherhead (22) and Ashley Rhodes (28), were found guilty of “conspiring to impair the operations of computers” between 1st August 2010 and 22nd January 2011. They were sentenced to 18 months and 7 months in jail respectively. Their contribution to the DDoS consisted of them running a piece of software called LOIC, which can be downloaded and set up by anyone with little technical skill needed. LOIC also needs large numbers of people or automated computers to run enough copies to render a site like PayPal inaccessible.
The prosecution however described the attack launched by the pair as causing “unprecedented harm” to the companies involved. In the US, where others are standing trial for their involvement in DDoS attacks, defendants are being accused of causing actual damage to computers and networks.
Many, including criminal law specialist Jay Leiderman have argued that DDoS is a valid form of protest and that, in the US, should be protected as free speech. Although it is unlikely that DDoS will ever be seen in this light, it seems unreasonable to argue that it causes damage or unprecedented harm to computers or networks. In the UK trial of Weatherhead and Rhodes, each company affected by the attacks stated a financial cost of the denial of service. These costs ranged from about $6,000 in the case of the British Phonographic Industry to a massive $5.25 million in the case of PayPal. It is also worth remembering that these two individuals were not the only people participating in the attacks, although it seems that they were tried as if they were.
DDoS in and of itself doesn’t harm a website, computers or networks. It just brings them to a halt by flooding requests at a rate the computers can’t handle. Once it stops, everything returns to normal. The computers and networks are not damaged or worn out in any way.
Companies like PayPal calculate the cost of these attacks by claiming loss of revenue during the time the site was down and, more contentiously, the costs of employing staff and software to try and prevent the attack happening again. Claiming the latter cost is like charging a burglar with the cost of fitting security screens to your house after it has been broken into. Claiming staff costs is also somewhat spurious as they are just doing what they would normally do which is looking after their machines and networks.
When calculated in this manner, inflated costs are designed to over-emphasise the case against the defendants. They can also be used by law-makers and politicians to emphasise the necessity for funding of cyber security services, as Australian Prime Minister Julia Gillard did just recently, when she announced the formation of an Australian Cyber Security Centre. The spending of $1.46 billion was justified by the claim that the annual cost of cyber crime to Australia was $1.65 billion per year.
As with the case of the over-zealous prosecution of Internet activist Aaron Swartz that resulted in his taking his life, prosecutors and judges treat the punishment of hackers and Internet activists as an opportunity to set a harsh example and act as a deterrent to others. Whether they achieve their objective or not is open to question. Certainly the prosecution of perhaps naive, but essentially well-intentioned activists, is not going to deter cyber criminals or hostile nation states from committing cyber attacks.
But this hasn’t dissuaded the criminal justice systems of Europe and the US from pursuing this course of action. There are still a large number of people awaiting trial in a number of countries for offences committed under the banner of Internet activism. Many are facing the possibility of years in prison and having their lives destroyed as a consequence. For these mostly young men, there has to be a better form of punishment for what they have done.