Leader: How to jail a cybercriminal

A common frustration among those in the more technical circles of society is the apparent inability of law-makers and prosecutors to provide a real deterrent to cybercrime in the courts.

Many of the judges gathering dust in courtrooms up and down the country either fail to comprehend the seriousness of crimes committed online or simply fail to comprehend, full-stop.

So for those of the 'lock 'em up and throw away the key' school of thought there was good news today with the sentencing of a British man who committed the largest known identity theft, affecting 30,000 people and resulting in losses of $2.7m. The man worked as a help desk employee for a large US credit company and while he was there he sold on the details of customers on the credit database.

For his part in the scam he was sentenced to 14 years in prison - no mean sentence by any measure. It certainly puts some of the community service orders and suspended sentences handed to virus writers into perspective.

The reason for such a relatively harsh sentence is simple - the clue is in the $2.7m sum.

It boils down to the fact the judge was given a concrete figure determining what this man's actions had cost. His crime suddenly became comparable to the theft of $2.7m worth of material goods, which is quite a heist.

The problem with convicting virus writers is the fact the damage they do is rarely quantified in these terms. While their actions may costs businesses worldwide millions of pounds, such figures are rarely supported in court or treated as anything more than supposition.

Many companies will repair the damage and get on with life as normal. Many will do so quietly, not choosing to shout about the fact they were hit by a virus, especially any publicly traded companies or those who should have known better than to be hit in the first place.

As such the actual damages are never brought to light or conveyed effectively to the judge or jury and the individual gets tried for little more than spreading a virus, consequence unknown.

If we are to see a greater array of convictions for cybercrime we need to have in place a recognised means of quantifying and reporting the damage done and a way of conveying to a judge that £1m of malicious or wanton damage online is exactly the same kind of crime as £1m of malicious or wanton damage in the real world.