The recommendation of 7 years is just crazy and even the lowered 5 years is just nuts. If you just look at the cost to the newspaper it was at one point almost a million dollars when the fix for the page was one editor reverting the page.
> In order to be convicted of felony under the particular provisions of the Computer Fraud and Abuse Act which prosecutors used to charge Keys, the conduct must exceed a threshold of $5,000.
That someone is responsible for paying a company to sure up their security is an issue. Or the inflation of cost to so Federal Prosecutors can get another win under their belt. That over reach is pretty high in this case.
A failure to change the locks does not mean you have created an attractive nuisance to former employees.
>In an unexpected twist, while going over the defense’s objections to the PSR, Judge Kimberly Mueller limited the amount of loss (for purposes of sentencing) to whatever had been presented at trial, thus drastically reducing the amount of prison time recommended by the sentencing guidelines. In the end, by the judge’s own determination, the appropriate range for sentencing was between 37 and 46 months.
So the actual sentence wasn't based on inflated numbers, and was lower than recommended based on actual numbers.
(Or are you saying the "evidence" of loss presented at trial was fake?)
If you're operating a company with real customers and real cash flow at any kind of real scale, and you suffer a serious breach, figure $50,000-$60,000 is table stakes for getting that breach resolved.
The intuition you need, to price these things out, is that once an attacker obtains unexpected unauthorized access to a system, the very next thing they do (and, in this case, the very next thing they tried to do --- much to Keys chagrin) is extend and persist access. Which means that if you're resolving a breach, you have to re-assess every system that the attackers got unexpected access to and verify that they didn't (a) implant something that will restore access in the future or (b) uncover some latent vulnerability that would allow them to do that.
Nobody reliably assesses internal systems (those systems you get unexpected access to once you successfully obtain unauthorized access). Nobody. An attacker gets behind the login prompt on a CMS you've deployed? You probably need to re-assess the whole CMS, because a big chunk of your security for that CMS probably relied on the idea that attackers don't know and can't reach all the URL endpoints behind the login prompt. The attacker gets code execution somehow? Now they're on your internal network, and the same goes for every system on the internal network.
It adds up fast. And your insurance company will (a) demand that you pay it, and (b) shortlist your DFIR vendors for you.
Not fun times.
At some point we have to acknowledge these tough cyber laws do nothing but pass down intentionally harsh sentences to the unlucky few Americans that get the book thrown at them.
I predict we'll look back at them with the same embarrassment and shame we do mandatory minimum drug sentencing laws now.
So one way to look at this is that he got the same amount of time, or less, he likely would have gotten if he had physically broken in and changed the title of the physical print of the paper (or had been an accomplice to others who actually perpetuated the criminal acts).
It's also becoming clear that the plaintiffs in these cases are completely washing their hands of their own responsibility for the crime. I understand that this is common in case law such as this, but if we want to actually secure this country against real cyber criminals then we need companies to step up and take responsibility for what's happening within their networks.
That's like saying you can get in trouble for giving someone a key to your old apartment, and then they go use it to unlock the door and do whatever they feel like inside. Or can you get in trouble for this, as maybe, an accessory?
