Of the many discouraging aspects of computer security, one of the worst is that offenders are rarely punished at all, let alone seriously. I have to think another disappointment in this regard is imminent.
I refer to the case of Sven Jaschan, who last year was ratted out for money by a friend. Jaschan had authored the Sasser and Netsky worms, both on the short list for most damaging and long-lasting malware infestations, and both still on the charts as active threats.
The news stories give the unmistakable whiff of "community service": Little Svenny was a minor when some of the offenses were committed, the maximum sentence is five years, he confessed, and its presumably his first offense.
Americans do seem to look differently at this age issue for criminals. I dont want to assert too much, but I think its fair to say that Jaschan only superficially committed his crime in Germany. By launching large-scale malware attacks he committed crimes against computer users everywhere. If its wrong to punish a 17-year-old severely for such crimes, why is it not wrong to punish someone severely who is just a few months, perhaps even days, older?
In any event, there should be no doubt as to the severity of Jaschans crimes. The German police may have found only 130,000 euros worth of damage so far, but thats obviously a small fraction of the damage, and anyone smart enough to create these attacks is smart enough to conceive of the damage of which they are capable.
But the odds are lining up behind a light sentence, and in fact its even worse. In the wake of his arrest Jaschan was hired by a German security software firm called Securepoint, which specializes in defenses against viruses and worms, and the company says it will stick with Jaschan regardless of the outcome of the trial. Jaschan is all set to profit for the rest of his life from the notoriety of his offenses.
The forces of the law have been almost peripheral players in this saga, only brought in when prodded. Remember, Jaschan was only detected because a friend of his sold him out for reward money from Microsoft. Its rare, although not unheard of, for law enforcement to go after those who abuse the Internet and other users of it. Just recently a high-profile spammer was arrested trying to enter the United States, although this too seems to have happened partly because of the efforts of outside agencies.
Technical experts disagree over what can be done to make the Internet safer, so its not clear what the government could do, especially in the United States where jurisdictions are complicated. But people are coming to expect more, and I have to agree with them. A recent poll indicated that Americans want more government leadership in tackling Internet law enforcement, but that they have little faith in government agencies that would be responsible, and less faith than they have in Microsoft! That must hurt.
Still, if the Internet is a mainstream place for people to deal with each other, then policing it should be the job of governments. If theres an issue of how it will be paid for, I suggest that special taxes aimed at Internet usage be earmarked for Internet law enforcement.
But the big leap is for governments all over the world to start taking such crimes seriously. If the Sven Jaschans of the world get punished with careers in Internet security then theres no reason for anyone to take Internet laws seriously.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
More from Larry Seltzer