While I try to think that one should never be happy with the misfortunes of others, it is satisfying to see that Albert Gonzalez was sentenced to 20 years in prison for basically masterminding the compromise of more than 100 million credit cards.
While I would prefer it to be much more, this sentence at least appears to be of a reasonable scale for the crimes committed. However, this still appears to be an aberration: Cybercrimes are rarely punished to the extent that they should be. Frankly, most of the time, the punishment does not discourage the crime.
Letís first look at the scope of Gonzalezís crimes and the costs to society associated with those crimes. Consider that Gonzalez and his accomplices didnít just steal the cards, they used many of those and sold the ones that they didnít use. So, they cleaned out peopleís bank accounts, or sold the information to people whom they knew would use the cards for criminal purposes. The cost to individuals is very easily in the hundreds of millions of dollars, if not billions.
Additionally, there is the cost of replacing the credit cards, which is described as at least $10 each. That is minimally $1 billion in just the cost of reissuing 100 million credit cards.
Then there are the tangible and intangible costs to the individuals and banks for the challenging of charges and withdrawals against the accounts. That again is likely in the range of hundreds of millions of dollars.
Then there is the cost to the companies Gonzalez victimized. I will first say that I wholeheartedly acknowledge and condemn the victimized companies that had inadequate security in place. That however doesnít justify or excuse the crime. In the end, the victimized companies, poor security or not, pass the costs inevitably on to the consumer and society as a whole.
I can go on, but it is clear that Gonzalez caused billions of dollars worth of losses to the US economy.
Gonzalezís attorney claimed that some of the most egregious white collar criminals in recent history received less than 25 years in prison. That doesnít mean much to me. Most of those people are significantly older than Gonzalez, and 25 years represents a significantly larger proportion of their remaining lives. However, I look at that as a reason to stiffen up penalties for ruining peopleís lives, as opposed to weakening the sentences of other criminals.
Now letís take a look at a more typical computer crime. Robert and Todd Cook, a father and son team, were found guilty of selling more than $1 million dollars worth of counterfeit software. They can potentially get up to five (5) years in prison and a $250,000 fine each.
The likelihood is that they will get significantly less time when sentenced. Minimally though, even if they get assessed the full fine, they still made a profit.
Think about that: Assume that the the defendents get the maximum sentence. They profit $250,000 from their crimes and get five years in jail each. Every year in jail is worth a $50,000 profit. If they get one year in jail and are fined $250,000, they each basically still profit $250,000 and serve one year in jail for that profit.
Would you be willing to spend a year in jail to profit $250,000?
The lesson is that, given the laws and current sentencing guidelines, if you are going to commit a crime, commit a really big crime, but not a megacrime.
This, of course, assumes that the people are actually caught and prosecuted. The statistics vary, but it is pretty widely acknowledged that the odds of being caught and prosecuted for cybercrime is less than 1 percent.
It remains to be seen whether the Cooks will receive anything near the maximum penalties. After all, a judge might say that they were just engaging in father-and-son bonding.
Again, it seems bad to hope for the worst for others, but some people seem to deserve it, due to the harm they inflict.
— Ira Winkler, Former National Security Agency analyst and author of Spies Among Us