Friday, August 22, 2008


You probably missed the story from Brunswick, Ohio that ran a couple of weeks ago: A hacker triggered the city’s 8 emergency warning sirens, so they blared out a false tornado warning. You can read about the hack, and watch a video story about it, via this link.

Many residents were confused when the sirens went off because the weather was apparently clear and calm. The police left messages on 14,000 phones, letting those residents know it was a false alarm.

Here’s what I find particularly interesting: The story said that until the hacker was caught or the system was changed, the sirens would remain shut down; they wouldn't be used to signal a tornado or other emergency.

Instead, the police would contact people who have signed up for the town’s telephonic warning system; if you’ve signed up, you’d get a call on your land line or cell phone telling you there’s a tornado or some other emergency. If you haven’t signed up (or don’t have a computer or access to a computer, since you sign up online) you wouldn't get a warning . . . until the hacker is caught or the system is fixed. (I'm assuming it's been fixed by now, but don't really know.)

I find this story interesting for several reasons. Let’s start with the charges that could be brought against the unknown hacker, first under Ohio law and then under federal law. Here’s what seems to be the applicable Ohio provision: “No person shall knowingly gain access to [or] attempt to gain access to . . . any computer system, or computer network without the consent of. . . the owner . . . or other person authorized to give consent by the owner.” Ohio Revised Code § 2913.04(B). If the perpetrator hasn’t been convicted of violating this provision before, the offense is a 4th degree felony; if the perpetrator has a prior conviction under this provision, it’s a 3d degree felony.

The news stories I can find on the Brunswick event don’t tell me much about how the unknown hacker gained access to the system. Let’s assume, though, that the facts show he/she did knowingly gain access to the Brunswick emergency computer system without consent. So we have a violation of this provision – we’ll assume our perpetrator doesn’t have any priors, so the crime is a 4th degree felony. I’ve skimmed the Ohio sentencing guidelines statute, and it looks to me like our hypothetical perpetrator could get off without doing jail time. Ohio Revised Code § 2929.13.

Under the sentencing guideline statute (It’s very complex; I don’t have the patience to parse it in detail, and I doubt you want me to do that here), a court is to impose a prison term on someone who committed a 4th degree felony if it finds that (i) certain aggravating factors apply and (ii) the offender is “not amenable to an available community control sanction”. The aggravating factors are as follows: (i) the crime caused physical harm to someone; (ii) the perpetrator threatened or tried to cause physical harm to someone with a deadly weapon or had a previous conviction for harming someone; (iii) he violated a position of public trust; (iv) he committed the crime as part of an organized criminal activity; (v) the crime is a serious sex offense; (vi) the perpetrator was in prison or had been in prison; (vii) he was on probation or out on bail; or (viii) he had a gun.
I don’t see how any of those apply.

The false alarms didn’t cause physical harm to anyone, nor does it seem that the perpetrator was trying to cause such harm. (Now, if he or she had disabled the sirens so they wouldn’t go off when a tornado came, that would qualify, especially if people were actually hurt.) Unless the perpetrator worked for the local police, I don’t see how a position of public trust or organized criminal activity was involved, and it’s not a sex crime. We doubt – but don’t know – if our guy was in prison, or had been in prison or was out on bail or on probation when he committed the crime, but we can pretty safely assume he did use a gun in committing it.

So there you go. If we have a first-time offender (my guess), the sentence would be probation. And that brings me back to an issue I’ve written about before: the balance between the “harm” a crime inflicts and the punishment imposed on the perpetrator. Is probation enough in this instance?

To figure that out, let’s consider the “harm” involved. As I noted above, this is not a scenario in which the perpetrator crippled the alarm systems, preventing people from learning that a tornado was heading toward them; that’s a serious “harm.” It’s basically another way of assaulting (maybe even killing) people. Here we have the reverse: an alarm when there was no need. The obvious “harm” is aggravation – people seem to have been unnerved at an alarm going off when the weather was clear and calm (and weather forecasters probably hadn’t said anything about possible tornados), and they also seem to have been justifiably aggravated when they found out it was a hoax.

So the “harm” inflicted was . . . aggravation . . . only? If it was just aggravation, then probation certainly makes sense. But was about the other “harm” – the “harm” to the warning system: As I noted above, police say they won’t use the sirens anymore until they catch their hacker (could take a while . . . happened in March and no one was caught) or they fix the system. I don’t know what fixing the system means; I assume it means hardening the system, and I don’t know how long that will take (or if it’s really possible).

Let’s assume it’s possible and it takes, say, two months. I checked two websites, and both told me that while the peak season for tornados in Ohio is April through July, they have happened later. So we have the additional “harm” of having the warning system taken offline during a period when tornados are not as likely as they were last month (I assume they know that) but are still possible. And, of course, there could be other emergencies . . . flood? . . . . terrorism? . . . asteroid? (I’m trying to be a little facetious because it really is unsettling to think of a town with no emergency system in place.)

The problem with these “harms” is that they’re not the kind of “harms” criminal law has ever taken cognizance of. As I’ve noted in various articles, criminal law is the oldest law. You see versions of criminal law in organized animal societies, like wolf packs. There are rules (don’t hurt others, don’t take their food, etc.) and there are punishments for those who break the rules. But neither wolves nor humans have really had to think about nebulous “harms” like the unavailability of a siren warning system before.

We see this in the federal statute that could apply here. Section 1030(a)(5)(A) of Title 18 of the U.S. Code makes it a federal crime to intentionally access a computer without being authorized to do so AND do one of the following: (i) cause “loss” of at least $5,000. (ii) alter or damage medical records or medical care; (iii) cause physical; (iv) cause a threat to public health or safety; or (v) damage a computer system a government entity uses in the administration of justice, national defense or national security. (If you want to read more about the statute, check out this Department of Justice manual.)

I don’t think the $5,000 loss option works because that option only applies when the perpetrator’s conduct inflicted economic loss. I don’t see any economic loss here. The best candidate is probably the “threat to public health or safety” option. We don’t have a threat to public health, as such, but we would seem to have a threat to public safety. The Department of Justice manual I noted above says this option applies when a computer intruder creates a threat by targeting an element of the country’s critical infrastructure. I’m assuming that would encompass this warning system.

If not, we could still try for the final option: a computer used in the administration of justice, national defense or national security. I don’t think the last two alternatives (national defense and national security apply); this part of the statute is apparently directed only at federally owned computers, like Department of Defense computers. Since the Brunswick system seems to be operated by the police, the “administration of justice” alternative should apply.

Okay, we’ve decided the unknown hacker could also be prosecuted under 18 U.S. Code § 1030. What kind of penalty would apply there? If the perpetrator only meant to hack the system, and didn’t realize that in so doing he/she was causing “harm” to people or to the administration of justice, the crime would be a misdemeanor if it was his/her first offense.

Misdemeanors have a maximum penalty of one year in prison, but this crime would probably result in probation, plus maybe community service. If this was a second or subsequent offense, then it would be a felony, and the person would be facing a 10-year prison sentence. If the person meant to cause the “harm” we identified above, then the crime would become a felony, even for a first offense, and would bring a sentence of 5 or 10 years in prison (5 if the offender recklessly caused the “harm,” 10 if he/she intended to cause the “harm”). The actual process of sentencing would a number of factors into account, including offender characteristics (e.g., age, priors) and issues surrounding the “harm” inflicted (e.g., the amount of risk to public safety, etc.).

The federal statute does a better job of actually encompassing the “harm” inflicted by a crime like this, but I’m still wondering how we should define and weigh the actual “harm” inflicted in this case, and others like it. I find a few news stories about cases in which a hacker attacked, or was preparing to attack a 911 system – the attack consisting of overwhelming the system so no one could use it. That, as I noted above, is not what this hacker did directly . . . but in a sense, his/her attack on the Brunswick emergency system had the same effect . . . since it was taken offline until. . . .

If you look at a case like this and just see the “harm” of aggravation (compounded, some quantum of aggravation for each of I don’t know how many victims), then I don’t see any reason why probation isn’t enough of a sanction. If you look at it and see additional, incremental “harm” of the type I’ve speculated about above, you then have to decide if you think that “harm” warrants more punishment . . . such as actual jail time.

It’s actually, I think, a rather difficult issue. The intertwining of the digital and tangible worlds means, IMHO, that we’re going to see the infliction of more intangible, nebulous “harms.” We will have to decide if we want our criminal law to encompass the infliction of those “harms” (which is the easier issue) and, if so, what kind of sanctions we think are appropriate for some one who . . . aggravates.

No comments: