A hacker who is facing charges for his involvement in the extensive breach of security firm Stratfor has penned a jailhouse missive that takes the US federal government to task for a “flawed and corrupt” approach to cyber security.
Jeremy Hammond (aka yohoho, tylerknowsthis, or crediblethreat), was arrested in March 2012 in Chicago and charged with crimes relating to the December 2011 hack of Stratfor. He faces a sentence of 30 years to life, if convicted, he said in his letter, which was posted online by the Sparrow Project.
In late 2011, hackers claiming to be associated with Anonymous hacked Stratfor and published information about the company’s clientele, including credit card information. Stratfor subsequently shut down its website and promised free ID theft protection for its customers. A short time later, Anonymous dumped thousands of additional documents obtained via the hack, and promised to attack “multiple” law enforcement targets over the New Year’s weekend.
Hammond took issue with the law being used to prosecute him – the Computer Fraud and Abuse Act (CFAA).
“My potential sentence is dramatically increased because the Patriot Act expanded the CFAA’s definition of ‘loss,’” he wrote. “This allowed Stratfor to claim over $5 million [£3.3 million] in damages, including the exorbitant cost of hiring outside credit protection agencies and ‘infosec’ corporations, purchasing new servers, $1.6 million [£1 million] in ‘lost potential revenue’ for the time their website was down, and even the cost of a $1.3 million [£860,000] settlement for a class action lawsuit filed against them.”
Hammond suggested that many “everyday computer users” run afoul of the CFAA because of its overly broad language. “The CFAA should be found unconstitutional under the void-for-vagueness doctrine of the due process clause,” he wrote. “Instead, Congress proposed bills last year which would double the statutory maximum sentences and introduce mandatory minimum sentences, similar to the excessive sentences imposed in drug cases which have been widely opposed by many federal and state judges.”
Hammond framed much of his argument around the recent suicide of Aaron Swartz, an Internet activist who was being prosecuted by federal authorities for allegedly downloading 4.8 million articles from JSTOR, a non-profit archive of academic journals, by tapping into the site from a computer wiring closet at the Massachusetts Institute of Technology. Swartz argued – and many agreed with him – that the articles he downloaded and shared were part of humanity’s collected knowledge that deserved to be shared freely amongst the scientific community.
Hammond argued that Swartz’s “efforts to liberate the Internet” made him a hero, not a criminal. But he fell victim to “the recent aggressive, politically motivated expansion of computer crime law where hackers and activists are increasingly criminalized because of alleged ‘cyber-terrorist’ threats,” Hammond said.
Hammond went on to argue that denial of service attacks (DDoS) – a frequent tactic of Anonymous – are not actually crimes. They are “more akin to an electronic sit-in protest, overloading the website’s servers making it incapable of serving legitimate traffic, than a criminal act involving stolen private information or destruction of servers,” he wrote.
After payment firms like PayPal, MasterCard, and Visa dropped support for Wikileaks in the wake of that site leaking confidential State Department documents, Anonymous organised DDoS attacks on the companies’ websites, with mixed success. Hammond argued that slowing down PayPal’s website for a few hours should not result in prison time and hefty fines.
The government, not surprisingly, disagrees. Back in 2011, the Department of Homeland Security warned that, given time and resources, Anonymous could become a real threat and carry out devastating cyber attacks on critical infrastructure.
Hammond suggested that was hypocritical, since the U.S. government has carried out cyber attacks of its own, pointing to reports that the US and Israel planted the Stuxnet virus to thwart Iran’s nuclear plans.
Last month, Congressional representative Zoe Lofgren – who represents Silicon Valley – proposed legislation that would update the CFAA so that violating terms of service do not carry hefty sentences. Hammond, however, is not hopeful about its prospects for passage.
“But since the same Congress had proposed increased penalties not even one year ago, any efforts at reform are unlikely to be more than symbolic,” he wrote. “What is needed is not reform but total transformation; not amendments but abolition.”
As part of his State of the Union address earlier this month, President Obama called on Congress to address the “growing threat from cyber attacks.” Obama got a head start prior to that speech by signing an executive order that he said will strengthen the country’s cyber defense by increasing information sharing and developing standards to protect security and privacy.