A Finnish teenager has been convicted of 50,700 “aggravated computer break-ins” – and punished with what some say is a mere slap on the wrist.
On Wednesday, Finland’s District Court of Espoo found Julius Kivimäki guilty of cybercrimes that involved break-ins into Harvard University and the Massachusetts Institute of Technology (MIT), email hijacking, blocking traffic to websites, and credit card theft, the BBC reported. Despite the severity of the crimes, the 17-year-old hacker, largely because of his youth, has not been jailed, and instead received a two-year suspended prison sentence, according to the British network.
The incident has raised questions about how forcefully judicial systems around the world should deal with hackers, particularly those who are also juveniles.
“The danger in a [court] decision such as this is that it emboldens young malicious hackers by reinforcing the already popular notion that there are no consequences for cybercrimes committed by individuals under the age of 18,” cybersecurity expert Brian Krebs wrote in his blog.
The ruling, he added, was a “win for Internet trolls.”
As they have with crimes committed by minors, authorities have struggled to strike the right balance in dealing with juvenile cybercriminals. Some officials’ attempts to deter young people from committing cybercrimes have been criticized as too heavy-handed.
Take the case of “Cosmo the God,” who in 2012 was found guilty of a slew of cyber-attacks, including credit card fraud, identity theft, and bomb threats. He was 15.
Cosmo’s sentence, issued in Long Beach, Calif., placed him on probation until his 21st birthday. Until then, he would not be allowed to use the Internet without supervision or prior consent from his parole officer, or for any purposes besides education, Wired reported at the time. He also had to hand over his passwords and account logins, and give up the computers that the FBI took when they raided his home. Violation of the terms would land him in jail for three years, according to Wired.
It was, as Gizmodo’s Sam Biddle put it, “the hacker equivalent of a death sentence.”
“To keep someone off the Internet for six years – that one term seems unduly harsh,” Jay Leiderman, a Los Angeles attorney who has represented alleged members of Anonymous and LulzSec, told Wired. “You’re talking about a really bright, gifted kid in terms of all things Internet. I feel that monitored Internet access for six years ... could sideline his whole life – his career path, his art, his skills. At some level it’s like taking away Mozart’s piano.”
Yet some experts say that heavy punishment is necessary to discourage young hackers from committing crimes in the future.
Mr. Kivimäki, who was previously linked to the hacker group Lizard Squad and who now describes himself on his Twitter profile as an “untouchable hacker god,” was able to compromise more than 50,000 computer servers, installing ‘backdoors’ that let him sneak in and retrieve information, the BBC reported. Prosecutors also accused him of carrying out denial of service (DoS) attacks – which interrupt or suspend the services of a host connected to the Internet – and of helping steal gigabytes worth of data from MIT's servers.
The latter attack incurred more than $213,000 in costs as a consequence, the company that ran MIT’s email infrastructure told the network.
These are serious crimes that merit serious punishment, Mr. Krebs noted.
“It is clear that the Finnish legal system, like that of the United States, simply does not know what to do with minors who are guilty of severe cybercrimes,” he wrote.
On the other hand, Kivimäki did spend a month in jail while awaiting trial, a fact that was also considered in his sentence.
“[The verdict] took into account the young age of the defendant at the time, his capacity to understand the harmfulness of the crimes, and the fact that he had been imprisoned for about a month during the pre-trial investigation,” a court statement said, according to the BBC.
One step that cybersecurity experts suggest against juvenile cybercrime is to teach cyber-ethics at an early age, and to perhaps even make it part of the curriculum, so that children grow up with a sense of what’s right and wrong in the digital space.
“We need to be teaching children, starting at a very young age, to shun all forms of cybercrime, from making illegal copies of software to stealing usernames and passwords and trespassing into systems that don’t belong to you,” Stephen Cobb, senior security researcher at cybersecurity firm ESET, wrote for the company’s news site.
Governments and other industries should also work to increase international pressure against hacking, as well to improve opportunities for talented young hackers, he added.
“The old saying that idle hands are the devil’s playthings also applies to hacking skills,” Mr. Cobb wrote. “If more people have them than there are jobs in which to employ them, those ‘skillz’ are apt to be misused.”