Sophos Cloud Optix
A 26-year-old Romanian man who admitted to hacking into NASA servers has received a three-year suspended prison sentence, while his legal team is challenging NASA’s damage claims of $580,000, according to a media reports.
The convicted hacker, Robert Butyka, was arrested by prosecutors from the Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT) on November 15th, in his home city of Cluj-Napoca, Romania.
According to news reports, Butyka was charged with breaking into a computer system; possessing hacking tools; and modifying, damaging and restricting access to data without authorization.
During the first trial hearing on January 10th, Butyka admitted hacking several NASA servers starting on December 12, 2010.
The court in Cluj-Napoca on January 17th sentenced Butyka to three years of suspended prison time with a probation period of seven years. He can appeal the sentence within 10 days.
The Romanian court has formed a separate case to determine damages. That will be tried in a civil court on March 13th, giving NASA time to prepare evidence.
Would the hacker have received a weightier sentence were he to be tried in the United States?
Nah. According to Kelly Law Firm, current sentences for first-time offenders for a number of provisions relating to damaging computer systems max out at one year of jail time.
However, US penalties for criminal hackers would be turned into more meaningful punishment if the Obama administration gets its way.
Back in May 2011, the White House presented a legislative proposal to Congress in which it requested that the mandatory prison sentence for those who breach and cause substantial harm to critical infrastructure systems (those systems that manage or control national defense, national security, economic security, public health or safety) be increased to a minimum of three years.
The list of requested changes [PDF] to laws governing hacking includes the seizure of the equipment used to commit the cyber crimes – i.e., get ready to lose your gear, crooks – as well as anything the crooks got from their schemes by way of profits or goods.
Mandatory imprisonment of three years and loss of equipment: Is even that enough penalty to deter hackers? Surely not.
But as signals go, it beats the hell out of a suspended sentence.
It sends a much stronger message than we get from the image of a confessed NASA hacker who has the unmitigated gall to challenge an injunction to pay for damages he himself inflicted on US infrastructure.
Is $580,000 too high a claim for damages? Maybe, maybe not. That’s up to NASA to prove.
But the mere idea of challenging the damages after walking away, scott-free, without prison time?
Maybe it makes sense, but given the lenient sentence, it just smells like a bit of nerve.
$580k too high? It depends what scope of expenses NASA are including but investigating such cases is an expensive business. It will involve a lot of very expensive people possibly for many days. All kinds of hardware tests and software checks need to be carried out to identify the scope of the attack. In a big organisation that can be an extensive exercise. So I think the $580k is probably a bit of a bargain! One assumes they are not also including the cost of tightening up their security! But I wouldn't rely on that!
And I wouldn't think there is much chance of them getting their money anyway no matter how much they asked for!
why not pay him a bonus, on the other hand? he DID alert them of the hack, secure their servers and hand them the key. maybe that prevented a much bigger loss…
I suspect the reason for challenging the damages amount is that the guy would rather not be declared bankrupt.
Romania doesn’t have personal bankruptcy laws and as such will be required to pay the full amount for the duration of his life. Mean net salary in Romania is about 200 usd / month, 2400 usd / year.
Sorry, not mean, minimum. Mean is about 420 usd / month, 5040 usd / year.
Given the propensity for claimants to over inflate losses in the past (see United States v. Riggs), I think it's right for the defendant to challenge the damages claim. Also, I doubt in a burglary case that you could claim losses for checking what has been stolen or damaged[1], so why should you be able to do the same in a hacking case?
1. Imagine Walmart claiming a million dollars in damages as the cost of a full stocktake to determine what had been stolen after a shoplifter stole a shirt, or a company claiming the cost of all inspecting all the windows in a large office building after a vandal broke one window.
$580k spent on nailing down security which should have been nailed down in the first place is NOT damages, no matter how many ways it might be painted.
NASA’s security was (and mostly still is) swiss cheese for a number of reasons. It would be FAR more productive to start charging federal employees for failing to secure systems in the first place.