from the cyber-sentencing-still-mostly-incoherent dept
The treatment of all things "cyber" by the government is incredibly inconsistent. Give someone a password so they can deface a website for 40 minutes and it's two years in jail. Doxx, SWAT, and cyberstalk multiple people and the best the court can do is two years minus time served. The end result is one year in prison for Mir Islam, who doxxed multiple celebrities and politicians, as well as called in fake threats that resulted in the swatting of at least nineteen people, including security researcher Brian Krebs, who uncovered Islam's doxxing tactics.
Krebs' investigation of Islam and his abuse of free credit report services to obtain personal information on a variety of public figures led to the following:
Peeved that I’d outed his methods for doxing public officials, Islam helped orchestrate my swatting the very next day. Within the span of 45 minutes, KrebsOnSecurity.com came under a sustained denial-of-service attack which briefly knocked my site offline.
At the same time, my hosting provider received a phony letter from the FBI stating my site was hosting illegal content and needed to be taken offline. And, then there was the swatting which occurred minutes after that phony communique was sent.
Nearly a dozen heavily-armed officers responded to the call, forcing me out of my home at gunpoint and putting me in handcuffs before the officer in charge realized it was all a hoax.
The response to the hoax call on Krebs' residence was, by comparison, minimal. Islam also called in a fake active shooter report at the University of Arizona campus. This was apparently in retaliation to a cheerleader's failure to realize Islam's cyberstalking was just another way of saying "I love you."
A woman representing an anonymous “Victim #3” of Islam’s was appearing in lieu of a cheerleader at the University of Arizona that Islam admitted to cyberstalking for several months. When the victim stopped responding to Islam’s overtures, he phoned in an active shooter threat to the local police there that a crazed gunman was on the loose at the University of Arizona campus.
According to Robert Sommerfeld, police commander for the University of Arizona, that 2013 swatting incident involved 54 responding officers, all of whom were prevented from responding to a real emergency as they moved from building to building and room to room at the university, searching for a fictitious assailant. Sommerfeld estimates that Islam’s stunt cost local responders almost $40,000, and virtually brought the business district surrounding the university to a standstill for the better part of the day.
Worse, some of Islam's swatting efforts and cyberstalking occurred while he was "cooperating" with federal prosecutors following his arrest for attempting to sell stolen credit cards to undercover agents.
Federal prosecutors wanted to see Islam jailed for nearly four years -- towards the upper reaches of the mandatory sentencing guidelines. Instead, the judge handed down a sentence of two years. Islam has been in federal custody since July 2015 and that time is being credited towards his sentence, meaning it will only be another year at the most before Islam is free again.
The credit for time served makes sense and the departure from the upper limits of the guidelines is something I would be extremely hesitant to suggest is a bad thing. Prosecutors wanted a much longer sentence, and the allegations here would seem to justify a lengthier imprisonment for Islam.
The problem with the government's fear of anything cyber-related is that the default mode for prosecutors is almost always the upper reaches of the sentencing guidelines, even when the severity of the criminal activity doesn't appear to warrant this sort of punitive sentencing. The government sought a longer sentence for Matthew Keys' minimal participation in a 40-minute headline alteration at a news website. Someone who endangered lives of dozens of people by sending heavily-armed law enforcement officers after them -- in addition to doxxing a large number of public figures and participating in multiple cyberstalkings -- was apparently only deemed dangerous enough to warrant a 46-month sentence, as compared to the 60 months sought in the Keys case.
Then there's this:
Judge Moss, in explaining his brief deliberation on arriving at Islam’s two-year (attenuated) sentence, said he hoped to send a message to others who would endeavor to engage in swatting attacks.
Swatting has the potential to kill people, something clearly not reflected by the "severity" of this sentence.
As Brian Krebs points out, it does send a message, although certainly not the one the judge intended. It says you can endanger the lives of others without seriously affecting your own freedom. It also sends the message that the government -- as a whole -- will remain incoherent and inconsistent in its handling of cybercrime.