A man walks into a court and admits he orchestrated over 2,000 distributed denial of service (DDoS) attacks on a wide range of organizations including: Amazon, Vodafone, the BBC, BT, O2, Sprint, Virgin Media, Netflix, MIT, NatWest, the UK’s National Crime Agency and even the college at which he studies. What punishment should he receive? Incredibly, the conclusion from one UK court is that he should walk free, having received a suspended 16-month detention and training order. This is how the judge rationalized his sentence, as reported in the Yorkshire Evening Post:
Clearly it is a very serious offence.
But at the time you were 16 or 17 and I have to discount any sentencing because of your age at the time.
You are of positive good character. It is a tragedy to see somebody of your undoubted talents before the court.
Excuse me if I struggle to understand how somebody of ‘positive good character’ can engage in several DDoS attacks per day over the course of two years, causing millions of dollars of harm for little more than cheap thrills. Whilst the judge described the offence as ‘clearly’ serious, the punishment says otherwise. However, this court’s blasé attitude to DDoS attacks is much more common than it should be.
Jack Chappell spent two years ‘working’ as an administrator for vDOS, an illegal service that charged unskilled users for the privilege of knocking over websites by flooding them with traffic. During that time Chappell only received a paltry USD2,000 payment whilst his bosses in Israel are known to have made at least USD600,000 from their criminal enterprise. Chappell’s lawyer insisted his client was of good character:
…he has been manipulated. He is in many ways just as much a victim. He has been totally exploited and abused.
He is not a person who is malicious. He is mischievous.
But looking at the details of the case, the malicious and selfish side of Chappell’s character should be all too obvious. When he was late with a college assignment he resorted to bringing down the college’s website. In total he launched 21 separate attacks on his own college and on Jisc, a provider of computer networks to academic establishments across Britain. Chappell was not just interrupting his own education but obstructing thousands of students and researchers. The prosecution observed that Jisc were forced to spend GBP56,500 (USD76,500) on staff to address the problems caused by Chappell, and another GBP5mn (USD6.8mn) to mitigate future attacks. But Chappell was not satisfied by only causing damage, so he used a pseudonymous Twitter account to claim responsibility and taunt the people who were trying to get the networks back up, goading them with hashtags like #GetBetterProtection.
I dwell on this individual story because it is easy to be misled by lawyers in cases like these. It takes a tremendous effort to track down criminals like Chappell, but when they are finally caught we only hear about their personal sob story, and not the stories of all the countless victims of their crimes. It has been said that the internet is as important as water, and some of the more hyperbolic members of Western society assert that net neutrality is now vital to the functioning of democracy. If we really believed that, we should treat Chappell like he had poisoned our water supply, instead of just describing his crimes as ‘mischief’. As Brian Krebs noted on his blog, there is plenty of precedent for serious DDoS attacks being treated as trivial misdemeanors, even though they cause millions of dollars of harm, and immeasurable frustration for countless users who were prevented from accessing the web services they wanted.
We live in an era when a badly-worded tweet can become scandalous front-page news. DDoS attacks do a lot more damage than hurting people’s feelings, but the difficulty of connecting cause with effect means there is a temptation to treat DDoS as a victimless crime. Nor should the age of the criminal become an excuse; Chappell’s case shows how badly-behaved children play with fire on the internet as well as in real life. We cannot allow them to burn the house down, and that means punishing the troublemakers in addition to bolstering our networks.