The July 30 decision by Britain's Court of Appeal to allow the extradition of alleged cyber-hacker Gary McKinnon is one that takes some decoding. This much is sure: with only the hope of a last-ditch appeal to the European Court of Human Rights to cling to, the 42-year-old Briton's date with a U.S. court on charges linking him to what one U.S. prosecutor called "the biggest military computer hack of all time," is edging inexorably closer. Delivering a ruling that seemed pitched at would-be hackers everywhere, the appeal court judge said, "It must be obvious to any defendant that if you choose to commit a crime in a foreign country, you run the risk of being prosecuted in that country," and no matter that the sentence McKinnon faces is likely to be "appreciably harsher" than if he was tried in the U.K.
In its extradition papers, the U.S. government alleges, among other things, that between Feb. 2001 and March 2002 McKinnon hacked into 81 U.S. armed forces computers and another 16 belonging to NASA, compromised the safety of Navy ships, stole documents and passwords, triggered the shutdown of a 2000-terminal Washington network, deleted critical files and caused a total of $700,000 worth of damage. For his part, McKinnon admits to being a regular cyber-intruder, but has claimed he was searching for some trace of an alien energy technology he believed the U.S. government had discovered and reverse-engineered but was keeping secret in order to keep oil prices high. He also says he was caught because he used his own email address to register his software and that he was smoking a lot of pot at the time.
McKinnon's case pops up in a just-published book Hacking: Digital Media and Technological Determinism, by Tim Jordan, a lecturer at the U.K.'s Open University. "He's in there," says Jordan, "as as an example of how difficult it is for governments to tell the difference between organized terrorist or cyberwar attacks from other countries and the individual hacker." The remarkable depth and range of McKinnon's attacks and the fact that he appeared to be looking for something in particular is exactly the kind of pattern that security experts point to as evidence of cyberterror attacks. "This guy was organized and he was looking for specific material," says Jordan, who also blames the "absurd insecurity" of the U.S.'s cyber-defenses. "McKinnon was mainly using the basic technique of an automatic dialer that scans loads of machines until it finds ones that either have their administrator password still set to default or were just left open."
The scale of hacking round the world is notoriously difficult to estimate. By Jordan's own cautious assessment there are between 500 and 2000 hackers with the necessary skills to initiate a serious cyber attack and another 10,000 to 20,000 with the skills to use the pre-existing software to hack lower-grade security systems. And despite the sudden upswing in commercial cyber crime over the last 5 years, "The vast majority," he says, "are only interested in computer systems and the thrill and adventure of breaking into them."
Crackpot or not, McKinnon appears to have had a political motive, and should he come to trial in the U.S., he faces up to 70 years in prison, though it's likely to be nearer the 8 to 10 years prosecutors have threatened. He'll fare worse if they can prove he deliberately caused damage. Though Jordan is skeptical of the $700,000 damage bill, "McKinnon's defense that he's a freedom fighter," says Jordan, "who was searching for hidden information that the government was holding back from the people is pretty severely undermined if at the same time he was bringing down or breaking U.S. systems in a way that would constitute an attack."
Following the rejection of McKinnon's appeal against extradition, the hacker's lawyer claimed that the British government had decided not to prosecute him under U.K. law so that the U.S. could "make an example of him" a charge that carries some uncomfortable echoes. "They do seem to be going to inordinate lengths to get this guy extradited," notes Jordan, "but they could as much be making a point about extradition laws as about computer crime." It's possible, he says, "that the Bush Administration's hard line is of a piece with the kind of things we've seen round extraordinary rendition and Guantanamo they just believe that when there's a crime against the U.S. they have the right to have those people brought to the U.S. and they're willing to fight for that very strongly."
After the court hearing, McKinnon admitted his hacking activities had been "very misguided" and said he would have gladly settled for a U.K. trial, but the fact he didn't get one might have a simpler explanation than transatlantic collusion. In 2006, the U.K.'s National Hi-Tech Crime Unit the one that arrested McKinnon in 2002 was disbanded. Though there is pressure to rebuild a specialist e-crimes unit, mostly prompted by the soaring cost of cyber fraud, the U.K. government has so far failed to come up with funding. In short, says Jordan, "they don't take this kind of hacking seriously." Which may be why McKinnon's headed to America.