• Investment World
• eWorld
• Brand Line
• Mentor
• Life
• Brand Quest
• The New Manager
• Smartbuy

Stocks

• Quotes
• SE Diary
• Scoreboard
• Open-End Mutual Fund

Cross Currency

• Rates
  
  

Shipping

• Ports
  
  

Archives

• Yesterday
• Datewise
• Resources
• In Focus
• In Depth
• Events 2007

Group Sites

• The Hindu
• The Hindu ePaper
• Business Line
• Business Line ePaper
• Sportstar
• Frontline
• The Hindu eBooks
• The Hindu Images

Reuters

A slip could prove costly.

R.K.Raghavan

A case that recently attracted wide attention on both sides of the Atlantic should be of great interest also to those in India who closely follow cyber crime trends elsewhere in the world. It should further send out a strong message to hackers of both varieties, the ethical and the not-so-honest intruders on cyberspace, that cyber law rarely distinguishes between those with criminal intention and those not actuated by malice and merely looking for adventure.

I have written on this earlier in one of my columns. However, to refresh the memory of readers, this is the case of a 42-year-old Glasgow-born British hacker, Gary McKinnon, whose proposed extradition to the US was upheld by the House of Lords, the highest Court of the land, on July 30, 2008. This was on an appeal by McKinnon after he had been found guilty by the Trial Court and the High Court for charges of hacking into US government systems during 2001-02. While he admitted to the charge of hacking, McKinnon’s stand was that he was not a spy nor was he actuated by any malice while he resorted to his misadventure. In his view, a British court should try him, and not any in the US.

The specific charge against McKinnon (known as ‘Solo’ online) was that, apart from hacking into several Army, Navy and Air Force systems, he also broke into 16 NASA computers. The estimated damage to the US government was $7,00,000. Graver than this was the allegation that he altered several files of the system of a US Naval Air station soon after 9/11 and made it inoperable. The US prosecutors want him to admit the indictment and cooperate with their further investigation so as to tie up some loose ends. If he did not fall in line with them, they have threatened that he would be tried for more serious charges, including possibly cyber terrorism, a course of action that could result in his spending most of his remaining years in a US prison. McKinnon’s lawyers have, however, declared their resolve to fight extradition, if needed by going to the European Court of Human Rights.

What is of interest to most of us looking at cyber security issues is that McKinnon’s case highlights how lax some government information systems could be and how vulnerable they are to even amateur hackers such as McKinnon, especially an unemployed individual with lots of time on hand to float around cyberspace for hours on end, looking for excitement.

McKinnon was initiated into computers while he was just 14. After he gave up formal studies, his friends persuaded him into believing that he had a bright future in computers. He, therefore, took a course in computers, after which he had short contract assignments. At a point of time, he thought he should do some research in subjects that he considered fascinating, such as UFOs.

This is how he got into hacking which soon became an obsession. When his adventures became serious and started having an impact on his domestic life, including the loss of a girl friend, his friends advised him to desist from hacking. He would not listen to sane counsel, and went on to do what he liked best. This brought him within the radar of the UK’s Hi-Tech Crime Unit (HTCU) — now a part of the Serious Organised Crime Agency (SOCA), an equivalent of the FBI and our own CBI — and he was detained in 2002.

Interestingly, when this happened, there was relief for McKinnon. He actually told the BBC: “I think I almost wanted to be caught, because it was ruining me. I had this classic thing of wanting to be caught so there would be an end to it.” This I thought was pathetic to the core.

What is of even greater import was McKinnon’s ridicule of the security of the US Defence department’s computers. Once he found that Pentagon used Windows, his estimate was that the system was eminently hackable. He used ordinary software available in the market to facilitate his operations. He claimed it was a cake walk thereafter, because Pentagon’s computers were not protected either by passwords or firewalls. If this claim was right, it spoke volumes about how careless even sensitive government departments could be when it comes to protecting information of a critical nature.

It is not inappropriate to recall here how, a few years ago, a pen-drive was used at our Naval HQ to smuggle out information on equipment purchases.

McKinnon said in his defence that he was not actuated by dishonesty. He was just a “bumbling computer nerd”. He went so far as to say that the US government should be grateful to him for having brought to the fore grave chinks in its armour.

The point is, can every hacker assume this stance of innocence after a deliberate break-in? The US prosecutors are, however, clear that McKinnon did not deserve any sympathy because, whatever be his motive, he had brought down vital networks forming part of the country’s national security set-up. This is highly debatable if one considered the fact that the English criminal law and ours demand mens rea (criminal intention) as the principal ingredient of a criminal offence.

How does one view similar hacking by even younger computer buffs? Two recent instances reported from the US are of interest. In the first one, Christopher Fowler, a Georgia student (19), was caught for cracking into his high school systems, allegedly for altering grades and stealing the passwords of other users. He also broke into the VoIP system of the school. He first obtained the password of one of the teachers with the help of keystroke logger software. This gave him access to several machines, and he ended up by recording conversations he was not authorised to listen. He has now been charged with both computer trespass and unlawful eavesdropping. It is still not known whether he used the information obtained by him for any unlawful or dishonest purposes.

In the second case, reported from Orange County, two teenagers have been hauled up for opening computer systems in the school for tampering with grades. One of these is now facing charges, which could result in a prison term of 40 years.

In the light of these episodes, is it is not our task to educate the youth in schools and colleges on the nuances of cyber law, so that they do not unwittingly lapse into, what in their cursory understanding, is mere fun and frolic? Perhaps our Information Technology Ministry in New Delhi can use the media extensively for this laudable cause.

The writer is a former CBI Director who is currently Adviser (Security) to TCS Ltd.

More Stories on : Security | Security Musings

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Copyright © 2008, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line