Virus writers shouldn't get off so easy

Computer worms and viruses cost us millions in lost productivity and are among the biggest headaches for IT departments. So, says Declan McCullagh, the individuals who create these menaces should at least get the same types of punishments as car thieves and environmental polluters.

Jeffrey Lee Parson pleaded guilty last week to unleashing part of the MSBlast worm attack that wreaked havoc on the internet a year ago. He got off easy.

Federal prosecutors predictably touted Parson's guilty plea as an example for other would-be vandals. John McKay, the US attorney for Seattle, proclaimed: "The damage to individual computer users is very real, and the penalties are also very real."

Not really. McKay neglected to mention that Parson's all-expense-paid visit to Club Fed will be surprisingly brief. Prosecutors say that the deal they cut means that Parson, who is 19 years old, will be sentenced to between 18 and 37 months.

That's mild punishment for someone who admitted to inserting nasty features into the original version of MSBlast to make it more noxious. By releasing his MSBlast.B variant that took advantage of a bug in Microsoft Windows, Parson intentionally harmed tens of thousands of people for his own amusement.

Compare Parson's sentence with the far stiffer penalties that the government metes out to marijuana 'criminals', who harm nobody and cause no property damage. For the 2001 fiscal year, the average sentence for a marijuana offense was 38 months in prison, according to the Office of National Drug Control Policy.

Parson could be serving more time if he had simply stolen a neighbor's car on a whim. The average federal sentence for motor vehicle theft in 2000 was 28 months, the US Justice Department reports. Aggravated assault is punished with an average sentence of 33 months.

If prosecutors took real computer crimes seriously, might that deter future worm attacks? Consider that federal law says the maximum penalty for the offenses listed in Parson's arrest warrant is at least 30 years.

Light sentences for worm and virus writers is hardly a new phenomenon. In 1988, a Cornell University graduate student named Robert T. Morris released the first internet worm - and was eventually sentenced to three years' probation, 400 hours of community service and a $10,000 fine.

Morris probably didn't deserve a harsher sentence. He never meant for his worm to spread so quickly that it became a worldwide menace (a programming error, not malice, made that happen). Today's generation of so-called script kiddies have no excuse - their handiwork is carefully crafted to be both disruptive and destructive.

David L. Smith, who created the Melissa virus, which clogged the internet in 1999, was sentenced in 2002 to 20 months in prison and a $5,000 fine. Jan de Wit, the 20-year-old living in the Netherlands who wrote the Anna Kournikova virus, received only 150 hours of community service - and no jail time.

Better deterrence is especially important because the FBI and other police agencies have such a poor record of identifying the virus and worm writers that infest the internet's underbelly.

The FBI and its counterparts have failed to convict anyone for a slew of viruses and worms, including Code Red, Nimda, SirCam, Klez, Sobig and Nachi. Police failed to identify the author of the Slammer worm, which threw some bank ATMs offline and knocked out a PC network at a nuclear power plant in Ohio. (A $5 million reward fund created by Microsoft has had better luck, nabbing a Sasser suspect in May.)

You might expect criminals who intentionally infect tens of thousands of computers to be treated at least as harshly as environmental scofflaws. An example: In 1999, the plant manager at LCP Chemicals of Brunswick, Ga., was sentenced to six and a half years in prison for illegally releasing mercury and chlorine into a nearby creek. The chairman of LCP Chemicals' parent company received a nine-year prison sentence.

Worms and viruses pollute today's internet and cost society far more to clean up than LCP Chemicals' toxic release. So why do their creators get off easier?

Declan McCullagh writes for CNET News.com