IMMUNIZING THE INTERNET, OR: HOW I LEARNED
TO STOP WORRYING AND LOVE THE WORM
In a 1997 exercise, National Security Agency teams hacked into
computer systems at four regional military commands and the Na-
tional Military Command Center and showed that hackers1 could
cause large-scale power outages and 911 emergency telephone network
overloads.2 The following year, members of the hacker group L0pht
Heavy Industries testified before the Senate Committee on Govern-
mental Affairs that it would take them only thirty minutes to render
the Internet unusable for the entire nation.3
Maintaining computer network security presents the unique prob-
lem of automated attack methods that can compromise millions of sys-
tems, all of which share the same vulnerabilities. Cybercrime is be-
coming easier to carry out, and as society becomes more dependent on
the Internet, the risk of a catastrophic attack looms larger. This Note
argues that computer networks, particularly the Internet, can be
thought of as having immune systems that are strengthened by certain
attacks. Exploitation of security holes prompts users and vendors to
close those holes, vendors to emphasize security in system develop-
ment, and users to adopt improved security practices. This constant
strengthening of security reduces the likelihood of a catastrophic at-
tack — one that would threaten national or even global security. In
essence, certain cybercrime can create more benefits than costs, and
cybercrime policy should take this concept into account.4
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
1 This Note uses the term “hacker” to describe people skilled in the art of breaching computer
security systems, whether they do so legally or illegally.
2 Bradley Graham, U.S. Studies New Threat: Cyber Attack, WASH. POST, May 24, 1998, at
A1.
3 STEVEN FURNELL, CYBERCRIME: VANDALIZING THE INFORMATION SOCIETY 72–73
(2002).
4 The idea that the architecture of computer systems can be a more powerful regulatory force
than law itself is not new. See LAWRENCE LESSIG, CODE 4–8 (1999); Neal Kumar Katyal, Digi-
tal Architecture as Crime Control, 112 YALE L.J. 2261 (2003). Professors Lessig and Katyal are
generally wary of the regulatory power of code. See LESSIG, supra, at 6 (“This code presents the
greatest threat to liberal or libertarian ideals, as well as their greatest promise.”); Katyal, supra, at
2281 (“[W]e should fear the response to cybercrime — private architectures of control — nearly as
much as the crimes themselves.”). Professor Katyal argues that allowing the market to minimize
crime may occur only at a cost that is too dangerous to bear, id. at 2283, and that direct govern-
ment regulation of code is a far better solution, id. at 2284–85. Although this Note argues that
private responses to computer crime are necessary, it leaves open the possibility of government
regulation of those private responses to ensure that they do not threaten “transparency and indi-
vidual freedom.” Id. at 2284. Finally, this Note argues that, to some extent, what Professor
Katyal fears — people becoming wary of entrusting important aspects of their lives to the Internet
— is a good thing.
2442
2006] IMMUNIZING THE INTERNET 2443
Current federal law, however, does not properly value such strate-
gic goals because it does not treat cybercrime differently from other
crime.5 During the Clinton Administration, the President’s Working
Group on Unlawful Conduct on the Internet, which included the At-
torney General and a number of other officials, stated that “substan-
tive regulation of unlawful conduct . . . should, as a rule, apply in the
same way to conduct in the cyberworld as it does to conduct in the
physical world.”6 As this Note shows, however, prosecution and pun-
ishment of computer hackers under current law will ultimately lead to
a less secure information infrastructure. Not only does current policy
create the wrong incentives regarding cybercrime, it does too little to
encourage computer hackers and computer users to contribute actively
to Internet security. A more nuanced approach to cybercrime punish-
ment and policy may make the difference in stopping a catastrophic
attack.
Part I describes how cybercrime differs from other crime, noting
that it presents a uniquely grave threat to global security but is also
amenable to innovative law enforcement approaches. Part II argues
that certain cyberattacks can create security benefits that outweigh the
damage they do. Part III proposes several cybercrime policy reforms,
including changes in hacking penalties, increased cooperation with
hackers, and encouragement of greater user involvement in security.
I. WHY CYBERCRIME IS DIFFERENT
Cybercrime differs from other crime in important respects, and
combating it requires a specialized approach. It is unique in at least
two ways: First, it operates within a highly generative system,7 making
it more likely to create beneficial effects that outweigh its costs. Sec-
ond, the perpetrators often possess a particular psychology that makes
them amenable to more innovative law enforcement methods.
Professor Jonathan Zittrain has drawn the sharpest picture of the
importance of generativity, which he describes as a function of lever-
agability, adaptability, ease of mastery, and accessibility.8 The Inter-
net, he says, is “exceptionally generative” because its architecture
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
5 See PRESIDENT’S WORKING GROUP ON UNLAWFUL CONDUCT ON THE INTERNET,
THE ELECTRONIC FRONTIER: THE CHALLENGE OF UNLAWFUL CONDUCT INVOLVING
THE USE OF THE INTERNET (2000), http://www.usdoj.gov/criminal/cybercrime/unlawful.htm.
6 Id.
7 Although this Note focuses on cybercrime, the principles herein could be applied to any
generative system. For example, if biotechnology or nanotechnology were to advance to the point
at which commodity hardware could be used by moderately knowledgeable users to produce self-
replicating organisms or nanomachines, the worry of catastrophic attack could prompt policy-
makers, in punishing related crimes, to adopt an analysis that accounts for the potential benefits
of those crimes.
8 Jonathan Zittrain, The Generative Internet, 119 HARV. L. REV. 1974, 1981–82 (2006).
2444 HARVARD LAW REVIEW [Vol. 119:2442
solves difficult data distribution problems and is “amenable to a large
number of applications,” is “easy to master,” has no “central gate-
keeper,” and uses publicly available protocols.9 This generativity al-
lows the Internet to act as a powerful catalyst for the economy, for the
arts and sciences, and for free thought. E-commerce now accounts for
over ten percent of total U.S. commerce, and that number is increas-
ing.10 Worldwide Internet usage is growing at a prodigious rate, and
almost every major corporation and government entity has a signifi-
cant Internet presence.
But the millions of computers connected to the Internet bring with
them the threat of cybercrime that can leverage the resources and vul-
nerabilities of those computers.11 Millions of computers around the
world contain security holes, many of them easily fixed, but many also
undiscovered.12 These flaws allow hackers to invade systems and take
control of their operations, steal and destroy data, and even use those
systems for further attacks. The statistics are staggering: the FBI has
made a conservative estimate that cybercrime costs more than one-half
of one percent of the U.S. gross domestic product.13 Computer secu-
rity incidents — some of which can cripple huge swaths of the Internet
— have been on the rise for years.14
The Internet’s generativity allows attackers to leverage limited re-
sources into massive attacks with ease. In distributed denial-of-service
(DDoS) attacks, self-propagating worms take control of vulnerable
computers (which are often ordinary personal computers in a home or
office with a broadband connection); the attackers then command the
computers to flood targeted systems with requests for information,
preventing legitimate traffic from getting through.15 Such attacks can
overwhelm even the most powerful and well-managed servers.16
Internet worms now use increasingly novel and creative methods to
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
9 Id. at 1987–88.
10 U.S. Dep’t of Commerce, E-Stats 2 (May 11, 2005), http://www.census.gov/eos/www/papers/
2003/2003finaltext.pdf.
11 See Zittrain, supra note 8, at 2012 (“[T]he fundamental problem arises from generativity
. . . .”).
12 Computer systems contain so many critical flaws in part because they are incredibly com-
plex, the software changes rapidly, and there have been few consequences for companies that de-
velop flawed software. See Charles C. Mann, Why Software Is So Bad, TECH. REV., July-Aug.
2002, at 33, available at http://www.technologyreview.com/InfoTech/wtr_12887,300,p1.html.
13 FBI, 2005 FBI COMPUTER CRIME SURVEY 10 (2005), available at http://www.newleaf
productions.com/ccs2005.pdf.
14 See Zittrain, supra note 8, at 2011 fig.1.
15 See FURNELL, supra note 3, at 109–11; Gregg Keizer, Dutch Police Crush Big ‘Botnet,’ Ar-
rest Trio, INFO. WEEK, Oct. 10, 2005, http://informationweek.com/story/showArticle.jhtml?
articleID=171204550 (describing a “botnet” of 100,000 compromised computers used, among other
things, to conduct attacks against a corporation’s website).
16 See FURNELL, supra note 3, at 30–31; David Kleinbard, More Sites Hacked in Wake of
Yahoo!, CNN MONEY, Feb. 8, 2000, http://money.cnn.com/2000/02/08/technology/yahoo.
2006] IMMUNIZING THE INTERNET 2445
propagate.17 Moreover, just by searching for new hosts to infect,
worms can produce so much traffic that they effectively shut down
large parts of the Internet and damage even internal systems, such as
ATM and airline reservation networks.18 Even old-fashioned e-mail
worms, which rely primarily on user ignorance, can spread to hun-
dreds of thousands of computers.19 The combination of ever more
creative hackers, the prevalence of powerful computers and broadband
Internet connections, and untrained and apathetic users has created an
environment in which damaging attacks on the information infrastruc-
ture can be unleashed with ease.
The risk of a serious cyberattack by terrorists or a foreign govern-
ment is greater than ever;20 a cyberattack coordinated with physical
attacks could compound the fallout by disrupting communications, dis-
tracting the government response, and exacerbating the psychological
damage from terrorism. What is more, hacking is becoming increas-
ingly easy.21 Therefore, prosecution of cybercrime has become impor-
tant not just to law enforcement but also to global security. The struc-
tural risks inherent in computer networks, however, make it clear that
cybercrime cannot be effectively combated solely with traditional law
enforcement tools.
Because the Internet’s generativity makes it both extremely valu-
able and extremely vulnerable to attack, cybercrime can create net
benefits. As the next Part explains, cybercrime can expose security
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
17 See, e.g., Ted Bridis, Computer Researchers Warn of Net Attacks, YAHOO! FIN., Mar. 16,
2006, http://biz.yahoo.com/ap/060316/internet_attack.html; Santy Worm Makes Unwelcome Visit,
BBC NEWS, Dec. 22, 2004, http://news.bbc.co.uk/1/hi/technology/4117711.stm.
18 See Computer Worm Grounds Flights, Blocks ATMs, CNN.COM, Jan. 26, 2003,
http://www.cnn.com/2003/TECH/internet/01/25/internet.attack/index.html (describing the SQL
Slammer worm, which caused no permanent system damage but temporarily shut down Bank of
America’s ATM network, forced Continental Airlines to cancel and delay flights, and slowed cor-
porate and government networks “to the point of inaccessibility”).
19 See, e.g., SANS Internet Storm Ctr., BlackWorm Summary, http://isc.sans.org/diary.php?
storyid=1067 (last updated Feb. 3, 2006).
20 See H.R. REP. NO. 107-609, pt. 1, at 65–66 (2002), reprinted in 2002 U.S.C.C.A.N. 1352,
1355 (“As the United States becomes increasingly dependent on information technology it is also
more vulnerable to cyber warfare attack by terrorists.”); ASHTON B. CARTER & WILLIAM J.
PERRY, PREVENTIVE DEFENSE: A NEW SECURITY STRATEGY FOR AMERICA 149 (1999)
(including in the definition of “catastrophic terrorism” a “cyberattack on the computer systems
that increasingly support our society’s vital infrastructure”); WHITE HOUSE, THE NATIONAL
STRATEGY TO SECURE CYBERSPACE 6 (2003), available at http://www.whitehouse.gov/pcipb/
cyberspace_strategy.pdf (“Of primary concern is the threat of organized cyber attacks capable of
causing debilitating disruption to our Nation’s critical infrastructures, economy, or national secu-
rity.”); Tom Espiner, Security Experts Lift Lid on Chinese Hack Attacks, ZDNET UK, Nov. 23,
2005, http://news.zdnet.co.uk/internet/security/0,39020375,39237492,00.htm (“Governments will
pay anything for control of other governments’ computers.”).
21 See U.S. GEN. ACCOUNTING OFFICE, INFORMATION SECURITY: COMPUTER
ATTACKS AT DEPARTMENT OF DEFENSE POSE INCREASING RISKS 15 fig.1.2 (1996), avail-
able at http://www.pbs.org/wgbh/pages/frontline/shows/hackers/risks/1996dod.pdf.
2446 HARVARD LAW REVIEW [Vol. 119:2442
flaws that, if fixed, can prevent more devastating future attacks.
Other types of crime, such as terrorist attacks or bank robberies, can-
not be considered beneficial in the same way that cybercrime might be.
Although the 9/11 hijackers exposed security vulnerabilities in the air
transportation system, such vulnerabilities are not leverageable in the
same way computer network vulnerabilities are — the hijackers could
not have easily taken control of many more planes than they actually
did.22 Similarly, although a bank robbery could reveal a vulnerability,
there is little danger that the security hole would otherwise have been
exploited in a catastrophic attack on thousands of banks. Realspace
simply is not as generative as the Internet.
Cybercrime is also different from other crime because it is amena-
ble to innovative law enforcement approaches that exploit its unique
underlying psychology. The objective of a bank robbery is to obtain
money. Terrorists usually wish to maximize damage. Cybercrime,
however, often provides no financial gain; many cyberattacks seem to
originate from a desire for fame and attention or fun and challenge.23
Hackers often cause little to no permanent damage to the systems they
successfully penetrate.24 This is true even of many high-profile cyber-
attacks, in which damage initially appears to be widespread.25 There-
fore, cybercrime policy may plausibly be able to encourage hackers to
perform less damaging attacks, whereas it is almost completely im-
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
22 Admittedly, a much less damaging crime could also have revealed the same security holes.
Arguably, however, the biggest hole — the failure to imagine that jetliners could be used as weap-
ons — could have been revealed only through a devastating attack.
23 See FURNELL, supra note 3, at 53; Clive Thompson, The Virus Underground, N.Y. TIMES,
Feb. 8, 2004, § 6 (Magazine), at 28 (“When Mario is bored . . . he likes to sit at his laptop and cre-
ate computer viruses and worms.”). Professor Michael Rustad identifies six Internet subcultures,
including retreatists, whose hacking is motivated by thrill-seeking; rebels, for whom hacking is a
form of civil disobedience; and nonutilitarian hackers, whose motives include exhibiting technical
expertise, retaliation, computer voyeurism, and assertion of a belief in open access to computer
systems. Michael L. Rustad, Private Enforcement of Cybercrime on the Electronic Frontier, 11 S.
CAL. INTERDISC. L.J. 63, 77–83 (2001). Only one of the subcultures involves hacking for finan-
cial gain: “innovators,” many of whom are part of organized cybercrime groups located in Eastern
Europe. See id. at 72–76.
24 See FURNELL, supra note 3, at 100–01 (describing objectives such as defacement of materi-
als, theft of information or software, use of systems as cover for other cybercrime, and use of sys-
tems as repositories, and noting that outright destruction of content “is unlikely in most cases”).
25 Such attacks have included, for example, defacing web sites and releasing worms that did
not destroy data. See FURNELL, supra note 3, at 103–09 (describing defacement of web sites of
the U.K. Labour Party, the New York Times, and RSA Security, Inc.); Zittrain, supra note 8, at
2003–05, 2008–09 (describing the Morris worm, which did no permanent damage, and noting that
“the overwhelming majority of viruses that followed in the 1990s reflected similar authorial re-
straint”). The reasons for this phenomenon may include a lack of desire to do harm or the percep-
tion that destroying data is not a sufficiently creative payload. See Thompson, supra note 23, at
28 (describing a virus writer who “prefers to create viruses that don’t intentionally wreck data,
because simple destruction is too easy”).
2006] IMMUNIZING THE INTERNET 2447
plausible that the law could convince bank robbers to take less
money.26
These unique aspects of cybercrime and the Internet suggest that a
nontraditional response is appropriate. The next Part argues that the
law can shape the behavior of many cybercriminals to encourage less
destructive attacks that still reveal important security information.
Part III uses the concept of beneficial cybercrime to suggest policy re-
forms. Encouraging beneficial cybercrime is not the only way to se-
cure the Internet, but it is a powerful tool in an area that requires
every tool available.
II. A NEW MODE OF ANALYSIS: BENEFICIAL CYBERCRIME
The possibility that a small group with few resources could lever-
age the generative power of the Internet to do enormous amounts of
damage makes securing the Internet of utmost importance. For that
reason, certain kinds of cybercrime are actually beneficial because they
call attention to security risks, spurring fixes and other precautions
that will prevent more damaging future attacks. Such crime, of
course, can be considered net beneficial only if the damage caused is
less than the probable discounted damage from the future attacks that
would have occurred had the security hole not been fixed.27
Judge Richard Posner argues that cost-benefit analysis is “an indis-
pensable step” in making policy concerning catastrophic risks, noting
that “[e]ffective responses to most catastrophic risks are likely to be ex-
tremely costly, and it would be mad to adopt such responses without
an effort to estimate the costs and benefits.”28 In the realm of cy-
berterrorism, however, effective responses may be very cheap com-
pared to the possible risks. This Note proposes several responses that
would reduce the risk of catastrophic cybercrime, incur relatively little
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
26 Admittedly, the law does try to deter bank robbers from hurting bystanders through grading
and the felony murder rule. See, e.g., U.S. SENTENCING GUIDELINES MANUAL § 2B3.1(b)(2)–
(3), (c) (2005). Sentencing rules for robbery do take the size of loss into account, see, e.g., id.
§ 2B3.1(b)(7), but the point is that the object of robbery — to take money — is directly correlated
with loss, whereas the object of much cybercrime is less so.
27 Therefore, “beneficial” as used in this Note refers to a cost-benefit analysis of some sort.
Although the costs and benefits can be difficult to estimate, see RICHARD A. POSNER,
CATASTROPHE: RISK AND RESPONSE 171–75 (2004), it is possible to estimate ranges of costs
and benefits, which can assist in decisionmaking, id. at 173. See also id. at 175–87 (describing
methods to cope with uncertainty, including information markets, inverse cost-benefit analysis,
the tolerable-windows approach, and risk-risk assessment).
28 Id. at 139. Judge Posner considers cyberterrorism a possibly catastrophic risk but notes that
“at present [computer viruses] are more a nuisance than a serious problem.” Id. at 85. Professor
Cass Sunstein’s Anti-Catastrophe Principle, according to which “a large margin of safety makes a
great deal of sense” when the “worst-case scenario is truly catastrophic and when probabilities
cannot be assigned,” logically applies to cybercrime as well. CASS R. SUNSTEIN, LAWS OF FEAR
115 (2005).
2448 HARVARD LAW REVIEW [Vol. 119:2442
cost, and possibly even reduce the damage sustained from noncatas-
trophic cybercrime.29
There are two ways in which crime can help increase cyberspace
security: by raising awareness about security holes30 and by encourag-
ing general security improvements and basic research.
Crime That Raises Awareness of Security Holes. Perhaps the most
beneficial cybercrimes are attacks that unveil previously unknown se-
curity vulnerabilities. Malicious hackers continually search for undis-
covered (and therefore unpatched) vulnerabilities to exploit. It is even
conceivable that foreign militaries and terrorists are hoarding multiple
vulnerabilities, creating an array of worms and viruses that can be
unleashed in a single, cataclysmic attack.
When an undiscovered security hole is revealed through an attack,
the event is known as a “zero-day exploit.”31 In many of these cases,
the hacker exploiting the vulnerability is also the first person to have
discovered it. If the attack is detected, there is a benefit: the owners
and producers of vulnerable systems will learn of the vulnerability and
work to patch it. Of course, there is a cost as well: the damage caused
by the attack.
Security holes revealed in this way do not always have to be dis-
covered in specific hardware or software. For example, some of the
most famous and destructive e-mail viruses exploited a system design
flaw in combination with a distinctly human flaw: that people had the
ability and desire to open attachments to enticingly named e-mails —
in one notorious example, one that said “ILOVEYOU.”32 Such ex-
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
29 Judge Posner identifies several problems that could cause underinvestment in risk reduc-
tion. See POSNER, supra note 27, at 92–138 (discussing the problems of scientific illiteracy, mis-
use of science, limited horizons, psychology, global decentralization, and public choice).
30 This Note assumes that disclosure of security vulnerabilities is generally a better policy than
secrecy. Professor Peter Swire identifies several variables and assumptions that bear on the valid-
ity of this premise. Peter P. Swire, A Model for When Disclosure Helps Security: What Is Differ-
ent About Computer and Network Security?, in THE LAW AND ECONOMICS OF CYBER-
SECURITY 29, 39–41 (Mark F. Grady & Francesco Parisi eds., 2006). Although he does not take a
definitive stance on which policy is better, Professor Swire notes that in the realm of computer
security, the combination of cheap, automated attack methods and easy communication among
attackers makes it more likely that obscurity is a poor method of defense. Id. A crime that re-
veals security information can be preferable to no crime.
31 SearchSecurity.com, Zero-Day Exploit, http://searchsecurity.techtarget.com/sDefinition/0,,
sid14_gci955554,00.html (last updated Dec. 1, 2005). Although the term can refer to vulnerabili-
ties that are disclosed and later exploited the same day, it also includes vulnerabilities that the
malicious hacker discovered first — in other words, the exploit is the disclosure. In some cases, a
vendor may know about a vulnerability “before an exploit is created or before the vulnerability is
disclosed publicly.” Tony Bradley, Zero Day Exploits: Holy Grail of the Malicious Hacker,
ABOUT.COM, http://netsecurity.about.com/od/newsandeditorial1/a/aazeroday.htm (last visited
May 13, 2006). In such a case, an attack should be considered one that publicizes a known secu-
rity hole as analyzed infra p. 2449.
32 This virus, known popularly as the “Love Bug,” was estimated to have caused at least $7
billion in damage. See FURNELL, supra note 3, at 159–63. Preying on user ignorance continues
2006] IMMUNIZING THE INTERNET 2449
ploits are dangerous because vendors and security analysts spend less
time looking for them and because it is much harder to “patch” a per-
son than a computer.33
Even an attack that exploits a known security hole, and thus does
not yield the benefit of revealing a new vulnerability, can be beneficial
by prompting users and vendors to patch the hole. Known but un-
patched vulnerabilities, after all, can be just as dangerous as unknown
vulnerabilities. Many of the most damaging viruses and worms have
exploited vulnerabilities for which a patch or other countermeasure
had been available for months or even years, relying on the negligence
of users who fail to apply the patches.34
Attacks prompt responses from both users and vendors. Owners of
compromised machines will notice degraded performance and attempt
to fix the hole, and a widespread attack generates media reports that
prompt even unaffected users to ensure their patches are up-to-date.
Vendors pay more attention to fixing vulnerabilities that are actively
being exploited.35 Attacks can also prompt vendors to cooperate more
effectively with users in distributing and applying patches.36
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
to prove effective. See Marsha Walton, New Worm Relies on Old Trick, CNN. COM, Feb. 2, 2006,
http://www.cnn.com/2006/TECH/internet/01/31/kamasutraworm/index.html.
33 Arguably there is no way to patch such human vulnerabilities in a technological sense. See
Walton, supra note 32. But the obvious nontechnological patch is user training, and a more indi-
rect technological patch does exist: a redesign of the system that makes it harder for users to shoot
themselves in the foot. For example, email programs could by default not allow users to open at-
tachments that are executable or warn them of the dangers of doing so.
34 See, e.g., Anne Kandra & Andrew Brandt, The Great American Privacy Makeover, PC
WORLD, Nov. 2003, at 144, 150–52, available at http://www.pcworld.com/reviews/article/0,aid,
112468,pg,3,00.asp (“While 83 percent of our survey group said they use an antivirus application,
only 73 percent update their [virus] definition files regularly. . . . [O]nly about 63 percent of survey
takers [keep up with new software versions and install security patches].”); ‘Code Red’ Computer
Worm Targets White House, CNN.COM, July 20, 2001, http://archives.cnn.com/2001/TECH/
internet/07/20/code.red.worm (describing the Code Red worm, for which a patch was available,
and noting that “even the most meticulous system administrators have a hard time keeping up
with all the patches and fixes necessary”); Sasser Net Worm Affects Millions, BBC NEWS,
http://news.bbc.co.uk/1/hi/technology/3682537.stm (last updated May 4, 2004) (describing the
Sasser worm’s infection of millions of personal computers using a security hole for which a patch
was available).
35 See Peter Galli, Windows vs. Linux: Think Patch Quality, Not Quantity, EWEEK.COM, Jan.
11, 2006, http://www.eweek.com/article2/0,1895,1909747,00.asp (“Red Hat made fixes for every
[critical vulnerability] available to customers . . . within two days of the vulnerabilities being
know to the public, with 87 percent of them being available the first day.”); Brian Krebs, A Time
To Patch, Jan. 11, 2006, http://blogs.washingtonpost.com/securityfix/2006/01/a_timeline_of_m.
html (“Last Thursday, Microsoft released a patch to fix a . . . 0day (‘zero day’) vulnerability for
which an exploit was publicly disclosed . . . [in] just 10 days . . . .”).
36 See MICROSOFT CORP., 2005 GLOBAL CITIZENSHIP REPORT 21 (2005), available at
http://www.microsoft.com/citizenship/default.mspx (“[W]orms and viruses were causing tremen-
dous damage because [security] updates weren’t being implemented. . . . The first step was to en-
courage more people to use a service . . . [that] automatically downloads critical software updates
from Microsoft whenever a user establishes an Internet connection.”).
2450 HARVARD LAW REVIEW [Vol. 119:2442
Moreover, media coverage and user complaints can prompt vendors to
take action; without such attacks, vendors would probably be more
complacent.
Crime That Prompts General Security Improvements. Cybercrime
also has the potential to spur market solutions to security problems.
Ideally, users would make purchasing decisions based on perfect in-
formation about product security. Such information can be provided
accurately only through the real-world testing that occurs in the case
of actual attacks. Users who are dissatisfied with the number of vul-
nerabilities or with the speed and ease with which they are patched
will naturally shift to different vendors or even to wholly different
communications methods.37 For example, millions of Microsoft Inter-
net Explorer users have switched to Mozilla Firefox, many for security
reasons.38 Security concerns can even convince people to change oper-
ating systems.39 Such market activity in turn prompts vendors to im-
prove their design and support processes.40
Because the Internet was originally created for a closed group of
trusted users, it was not designed with today’s security threats in
mind.41 It was “designed to be ‘open,’ with distributed control and
mutual trust among users.”42 The new ubiquity of the Internet, how-
ever, has eroded the security bulwarks that protected the early Inter-
net.43 The new threats the Internet faces underscore the importance of
refocusing system design methods on increasing robustness. A few ini-
tiatives have already begun the process: IPv6 is a redesign of the basic
protocol upon which the entire Internet runs, offering new security fea-
tures and the promise of a “long-term evolution to new security para-
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
37 Security flaws are not always vendor-specific; often the flaw is with the standardized proto-
col underlying the system, which can be common to many vendors. See, e.g., Marguerite
Reardon, VPN Flaw Threatens Internet Traffic, CNET NEWS.COM, Nov. 14, 2005, http://
news.com.com/VPN+flaw+threatens+Internet+traffic/2100-1002_3-5951916.html?tag=nefd.top.
38 See Michelle Delio, Mozilla Feeds on Rival’s Woes, WIRED NEWS, July 2, 2004,
http://www.wired.com/news/infostructure/0,1377,64065,00.html; Firefox: Take Back the Web,
http://www.switch2firefox.com/press (last visited May 13, 2006).
39 See Steven J. Vaughan-Nichols, XP SP2 Gives Reasons To Switch to Linux, EWEEK.COM,
Aug. 26, 2004, http://www.eweek.com/article2/0,1759,1640069,00.asp; cf. Thompson, supra note
23, at 32 (“By relying so exclusively on Microsoft products, virus authors say, we have created a
digital monoculture, a dangerous thinning of the Internet’s gene pool.”).
40 See, e.g., Microsoft Corp., A Trustworthy Vision for Computing, http://www.microsoft.com/
mscorp/twc/overview.mspx (last visited May 13, 2006) (“[M]any people still are hesitant to entrust
[computers] with their lives . . . . Microsoft’s response to this lack of confidence is the Trustwor-
thy Computing Initiative.”).
41 Internet Security and Privacy: Hearing Before the S. Comm. on the Judiciary, 106th Cong.
40 (2000) (statement of Richard Pethia, Director of Computer Emergency Response Team Coordi-
nation Center).
42 Id.
43 See Zittrain, supra note 8, at 2008–10.
2006] IMMUNIZING THE INTERNET 2451
digms.”44 Advances in authentication and encryption schemes are also
changing the assumptions upon which the Internet is built. Internet
routers can now filter traffic to prevent DDoS attacks and raise alerts
about suspicious traffic.45 Software vendors now build automatic up-
dates and patches into their software. Some researchers have proposed
methods to allow “vaccines” to leapfrog and contain the propagation of
viruses.46 Researchers have even theorized about artificial intelligen-
ces that could help repulse an attack on computer networks.47
The constant barrage of cyberattacks has prompted users to adopt
a wide variety of practices that improve the integrity of the Internet.
Firewalls provide broad protection against general attack methods, in-
cluding unforeseen ones. Antivirus and antispyware software provide
specific protection against known threats. Large organizations now
undertake regular security audits and provide computer security train-
ing to employees.48 They also turn off unnecessary features of com-
puter operating systems and lock down systems to prevent users from
installing or inadvertently running unapproved, potentially dangerous
software.49 Some corporations have diversified their computing assets,
helping to ensure that no single vulnerability can bring every system
down.50
Finally, the threats posed by cybercrime can prompt even more
fundamental structural changes. For example, some organizations
have made large investments to build and maintain alternative net-
works that are insulated from the Internet. The Internet2 consortium
has created the Abilene network, a high-performance backbone net-
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
44 U.S. DEP’T OF COMMERCE, TECHNICAL AND ECONOMIC ASSESSMENT OF
INTERNET PROTOCOL VERSION 6 (IPV6), at 37 (2006), available at http://www.ntia.doc.gov/
ntiahome/ntiageneral/ipv6/final/ipv6final.pdf. But see id. at 37–39 (describing ways in which
IPv6 may actually reduce security).
45 STUART BIEGEL, BEYOND OUR CONTROL? CONFRONTING THE LIMITS OF OUR
LEGAL SYSTEM IN THE AGE OF CYBERSPACE 252 (2001).
46 See Jacob Goldenberg et al., Distributive Immunization of Networks Against Viruses Using
the ‘Honey-Pot’ Architecture, 1 NATURE PHYSICS 184, 184 (2005).
47 See Mitchell S. Ross, An Application of Artificial Intelligence To Provide Strategic Warning
to an Information Warfare Attack Against National Information Infrastructures (Mar. 3, 1997),
http://www.carlisle.army.mil/usacsl/divisions/std/branches/keg/97TermII/maai.htm. But cf. TER-
MINATOR 3: RISE OF THE MACHINES (Warner Bros. 2003) (envisioning an artificial intelligence
that is released to destroy a computer virus but instead commences thermonuclear war against
humans).
48 See Tom Dodds & Ken Pfeil, Microsoft Corp., Security Considerations for End Systems,
http://www.microsoft.com/technet/Security/bestprac/bpent/sec2/sconsid.mspx (last visited May 13,
2006).
49 See id.
50 See, e.g., Netcraft, Example Site 1 — www.apple.com, http://uptime.netcraft.com/up/graph
(last visited May 13, 2006) (noting that between 1999 and 2001, www.apple.com used “more than
one type of Operating System . . . in parallel”).
2452 HARVARD LAW REVIEW [Vol. 119:2442
work to which only Internet2 members may connect.51 The consor-
tium uses Abilene to perform research on new technologies, and the
network’s semiprivate nature ensures that members can insulate some
systems from regular Internet traffic. A massive DDoS attack on the
Internet would affect Abilene traffic only if part of the attack origi-
nated from an Internet2 member.
In summary, cybercrime keeps Internet users on their toes: it makes
security flaws salient, which prompts patching and improves market
information. That information in turn drives the adoption of more se-
cure technologies and practices.
III. INNOVATIVE SOLUTIONS FOR A GENERATIVE SYSTEM
Current federal law does not properly take into account the possi-
bility of beneficial cybercrime because it does not differentiate between
cybercrime and other types of crime. The primary rationale for this
equivalence involves the substitution effect: “that disproportionately
punishing activity in either realspace or cyberspace will induce crimi-
nals to shift their activities to that sphere in which the expected pun-
ishment is lower.”52 Such reasoning ignores the central insight of this
Note: crimes that cause minimal damage relative to how much they
increase security awareness are beneficial. Engineering punishments
to steer criminals toward more beneficial crime would actually be op-
timal. Furthermore, the notion that crimes in realspace and cyber-
space are easily or even feasibly substitutable is often ludicrous: a
bank robber is unlikely to switch to writing worms that offer no finan-
cial gain just because he will receive less punishment.
Current policy also does not sufficiently take into account the im-
portance of hackers and users in securing the Internet. Hackers are an
incredibly valuable resource for security knowledge, and cybercrime
policy should take pains to encourage their cooperation and to avoid
alienating them. Internet users, on the other hand, are perhaps not
dealt with harshly enough; ultimately, the only way to secure the
Internet is to ensure that these users secure their systems.
This Part suggests several reforms that concern punishment, the
role of hackers in the quest for security, and methods to force users to
take more active responsibility for their systems. The reforms sug-
gested have several advantages over current policy: they tap the crea-
tive energy of a vast network of underground hackers, they force users
and vendors to respond in beneficial ways that government policy
would be unable to force directly, and they spread costs to those who
value security, including the private sector and foreign countries.
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
51 Abilene FAQ, http://abilene.internet2.edu/about/faq.html (last visited May 13, 2006).
52 Neal Kumar Katyal, Criminal Law in Cyberspace, 149 U. PA. L. REV. 1003, 1005 (2001).
2006] IMMUNIZING THE INTERNET 2453
A. Punishment
One thing is clear: beneficial cybercrime should not be overdeterred
— it should actually be encouraged. Of course, the line between bene-
ficial and nonbeneficial cybercrime is hazy, but it is possible to identify
factors that indicate a crime is likely to be beneficial. In arguing that
such factors should affect cybercrime policy, this Note assumes that
adjusting punishment has at least a marginal effect on deterrence53
and that the primary goals of punishment are instrumental.54 The
benefits, however, may be so attenuated and uncertain that little to no
change from current law is warranted. At the very least, though, ef-
forts to increase penalties for cybercrime should be evaluated using
this cost-benefit framework.55
The current U.S. Sentencing Guidelines do not sufficiently take in-
strumental concerns into account. The Guidelines primarily concern
economic crimes in general, with few cybercrime-specific provisions.
If policymakers decide that instrumental concerns about immunizing
the Internet necessitate a redesign of cybercrime policy, the problem
becomes one of outlining the principles by which cybercrime is to be
judged as beneficial. Three principles should underlie such a judg-
ment: measurement of damage, marginal deterrence, and nature of the
exploitation.
1. Measurement of Damage. — The measure of damage used in a
cost-benefit analysis of cybercrime is more nuanced than current law
provides. When the U.S. Sentencing Commission last amended the
Guidelines applicable to cybercrime, it defined actual loss as “any rea-
sonable cost to any victim, including the cost of responding to an of-
fense, conducting a damage assessment, and restoring the data, pro-
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
53 Deterrence analysis is quite complex, and many of its claims are open to debate. See, e.g.,
Tracey L. Meares et al., Updating the Study of Punishment, 56 STAN. L. REV. 1171 (2004); Paul
H. Robinson & John M. Darley, The Role of Deterrence in the Formulation of Criminal Law
Rules: At Its Worst When Doing Its Best, 91 GEO. L.J. 949 (2003).
54 Other punishment objectives may also support the approach suggested in this Note. Inca-
pacitation may be of lesser concern because, as section III.B argues, a system of creative sentenc-
ing could encourage cybercriminals to contribute to security rather than simply deny them access
to computers. In addition, hackers seem more amenable to rehabilitation than other types of
criminals, possibly because hackers can more easily transition to legitimate activities. See, e.g.,
FURNELL, supra note 3, at 70–71 (describing a hacker group called Legion of Doom, some mem-
bers of which formed a security firm after a government crackdown); id. at 82–91, 225–29 (de-
scribing the hackers Cap’n Crunch, Kevin Mitnick, and Kevin Poulsen, all of whom pursued le-
gitimate job opportunities in the security field after prison time).
55 For an example of an overly simplistic cost-benefit analysis reaching the wrong result, see
Steven E. Landsburg, Feed the Worms Who Write Worms to the Worms, SLATE, May 26, 2004,
http://www.slate.com/?id=2101297&, which argues that authors of computer worms should be
subject to the death penalty.
2454 HARVARD LAW REVIEW [Vol. 119:2442
gram, system, or information to its condition prior to the offense, and
any . . . damages incurred because of interruption of service.”56
This measure of loss is overinclusive, however, because much of the
cost of restoring system integrity is money that one should reasonably
expect users to spend anyway. Whenever security flaws are discov-
ered, users spend time and money to patch them, regardless of whether
their systems have been attacked. Yet these same costs, when borne
by the actual victim of a breach, count as losses under the current
Guidelines even when the hacked system suffers no damage.57 It is as
if a mere trespasser who entered a doorway with no lock were held li-
able for the cost of installing a lock afterwards.
Crime that does very little damage may not be noticeable by all
parties involved, however, erasing some of the benefits. For example,
many worms can compromise machines without the users even notic-
ing; groups of such machines are then used in DDoS attacks.58 If the
worms do no noticeable damage to the compromised machines them-
selves, the owners may never remove the worms and patch the secu-
rity holes. Therefore, some minimal damage may actually increase the
crime’s benefit.59 Ideally, the worm would alert the user of the ma-
chine that he is vulnerable without causing permanent damage. For
example, a large, flashing message mocking the user for his incompe-
tence would do the trick.60
2. Marginal Deterrence. — Because the most beneficial attacks are
those that reveal the most information about potentially dangerous se-
curity flaws while causing the least damage, it is important to ensure a
large gulf in punishment between attacks that reach their full destruc-
tive potential and those that do not. For example, if the security hole
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
56 U.S. SENTENCING GUIDELINES MANUAL § 2B1.1 cmt. 3(A)(v)(III) (2005).
57 Such costs would probably fall under the phrase “cost of responding to an offense.” Id.; cf.
Creative Computing v. Getloaded.com LLC, 386 F.3d 930, 935–36 (9th Cir. 2004) (rejecting the
defendant’s argument that damages could not be assessed for routine maintenance and upgrades
that the plaintiff would have needed to perform in any case). In some cases of unauthorized ac-
cess to computer systems, the damage caused is not just the breach but also the cost of cleaning
up and ensuring that the hacker did not maliciously alter the system. Such security audits are
common after sophisticated, directed attacks on specific systems. However, in cases in which
thousands or millions of computers are breached, the attack is necessarily an automated attack
with a known payload. In such cases, the payload usually does the exact same thing to each sys-
tem breached, and researchers can create automated cleanup programs that can quickly and eas-
ily restore the integrity of the systems affected.
58 See FURNELL, supra note 3, at 110 (“[T]he sites hosting the daemons [used in DDoS at-
tacks] typically do so unwittingly, the programs having been installed via stealth methods.”).
59 There are other benefits. Other parties affected, such as the network providers and the site
targeted by the DDoS attack, will take protective measures, and there may also be media atten-
tion focused on the vulnerability exploited.
60 See Thompson, supra note 23, at 31 (describing a virus that simply displays a picture of a
raised middle finger and a virus that displays two artificial intelligence chat-agents debating
whether they will be caught by antivirus software).
2006] IMMUNIZING THE INTERNET 2455
exploited in an attack gives the attacker the ability to execute arbitrary
code with full administrative privileges, the potential for damage is
great: he can steal or destroy any data on the system and use the sys-
tem itself for a self-propagating attack. The attacker may choose not
to do so, however; he may choose instead simply to create a worm that
self-propagates but does not destroy any data. In fact, a “benevolent”
worm could even close the security hole behind it.61 Punishments
should encourage attacks that fall shortest of their full destructive po-
tential, at the very least by taking into account the gap between poten-
tial and actual damage during sentencing.
Current law only minimally reflects concerns over marginal deter-
rence. The Guidelines specify an increase in offense level that ranges
from zero for losses less than $5000 to thirty for losses greater than
$400 million,62 but they do not take account of the difference between
actual and potential damage.63 As discussed above, however, any
moderately widespread attack will almost certainly create massive
losses (as measured under the Guidelines) because of the large number
of users who will have to patch the hole. Many crimes that might be
considered beneficial under the measures discussed in Part II would
quickly blow through the loss brackets in the Guidelines. And at that
point, there is no possibility of marginal deterrence, and an attacker
might decide that it is worth the glory to create damage well beyond
$400 million. Therefore, a redesigned system could exempt the cost of
patching a vulnerability from the measure of loss. A redesign might
also increase the high end of the Guidelines and the statutory maxi-
mums so that sentencing levels increase as damage increases beyond
$400 million.
3. Nature of the Exploitation. — The current Guidelines increase
the sentence if the offense involves “a computer system used to main-
tain or operate a critical infrastructure.”64 Such a differential is justi-
fied if the vulnerability exploited is common to many systems: if crime
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
61 A worm named Welchia spread using the security hole exploited by the earlier Blaster
worm, but after entering a computer system it downloaded a patch for the hole. See New Inter-
net Worm Tries To Patch Windows Hole, USA TODAY, Aug. 19, 2003, http://www.usatoday.com/
tech/news/computersecurity/2003-08-19-good-worm_x.htm. Arguably, such worms are damaging
simply because they create excess network traffic and can cause computers to reboot, but the
question remains whether the benefits, which may not be immediate, outweigh the costs. See,
e.g., Celeste Biever, Turning the Worm Secures the Computer, NEW SCIENTIST, Feb. 4, 2006, at
32 (describing a beneficial worm that spreads with restraint).
62 For a first-time offender, the base offense level of six, U.S. SENTENCING GUIDELINES
MANUAL § 2B1.1(a)(2) (2005), carries a sentence of zero to six months, whereas an offense level of
thirty-six carries a sentence of 188 to 235 months. See id. § 5A tbl. That sentence, however, is
limited by the statutory maximum, which in most cases ranges from one to twenty years. See 18
U.S.C. § 1030(c) (2000 & Supp. II 2002).
63 U.S. SENTENCING GUIDELINES MANUAL § 2B1.1(b)(1).
64 Id. § 2B1.1(b)(14)(A)(i).
2456 HARVARD LAW REVIEW [Vol. 119:2442
is beneficial for revealing security flaws, attacks on less-critical systems
are generally preferable because the flaw is revealed without actually
exposing the critical system to risk.65 However, if the vulnerability ex-
ploited is specific to a system operating critical infrastructure, then the
differential is illogical: the benefit can be realized only through an at-
tack on that system. Securing such systems is of primary importance,
and an attack on such a system that does little damage but reveals im-
portant security information is therefore desirable.66
The current Guidelines also base sentences on the number of vic-
tims.67 The most dangerous vulnerabilities, however, are those that
are widespread. Additionally, the only ways many users learn of vul-
nerabilities is either through being attacked or through heavily circu-
lated media accounts of particularly notable attacks. Therefore, a
wide-ranging attack can be more beneficial than a relatively limited
one. A redesigned system might reduce or eliminate the importance of
this factor or at least make its application more nuanced.
Finally, as discussed above, an attack’s benefits generally correlate
with its novelty. Exploitation of a known security hole usually offers
little benefit beyond raising awareness. A novel attack, however, re-
veals much more valuable information that could preempt a more
damaging surprise attack. Therefore, a redesigned system might pun-
ish attacks that are novel more lightly, and punish attacks that are not
novel more harshly.
In summary, under the view that the damage from an attack is
worth the attendant boost in immunity and reduction of the risk
of a catastrophic attack, some crimes (for example, those that affect a
large number of people but do little damage to each) are overdeterred,
and some crimes (for example, those that are not novel) are
underdeterred.68
B. The Role of Hackers: A Proliferation of Hat Colors
Yes, I am a criminal. My crime is that of curiosity. My crime is that of
judging people by what they say and think, not what they look like. My
crime is that of outsmarting you, something that you will never forgive me
for.69
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
65 This argument assumes that operators of critical systems pay attention to attacks on similar,
less-critical systems and take steps to patch vulnerabilities before being attacked themselves.
66 Such attacks are not as unlikely as they may seem, due to the unique psychology of hacking
and the lure of such challenges. See supra p. 2446.
67 U.S. SENTENCING GUIDELINES MANUAL § 2B1.1(b)(2).
68 To the extent that cybercrime may be harder to detect and investigate than other crimes,
however, it is possible that cybercrime is already somewhat underdeterred.
69 The Mentor, The Conscience of a Hacker, PHRACK INC., Jan. 8, 1986, Vol. 1, Issue 7, at
phile 3, http://www.phrack.org/archives/phrack07.tar.gz.
2006] IMMUNIZING THE INTERNET 2457
Hackers have always played a dual role in the development of the
Internet. As Robert Steele puts it, hackers “see[] the dangers, the vul-
nerabilities, the shoddy, unethical, inappropriate business behavior by
communications and computing companies. . . . And everyone wants
to shoot the messenger.”70 Steele argues that hackers are a national re-
source but that governments around the world consider them “patho-
logical scum” because they do not understand hackers and the envi-
ronment in which they operate.71 But whether one sees hackers as
good or evil, there is no denying that they can provide vital informa-
tion about vulnerabilities in the infrastructure. And unless one be-
lieves that terrorists and hostile nations do not employ their own hack-
ers, it is clear that they are a resource that should be exploited.
This Note does not argue that hackers should not be prosecuted. It
argues merely that cybercrime policy should be reshaped to encourage
hackers to move closer to the “white hat” hacker model — disclosing
security holes responsibly, working with vendors to fix such holes
quickly, and cooperating with law enforcement.72 Cybercrime policy
should give hackers incentives to make their attacks benign; when
hackers are caught, that same policy should give them incentives to
turn to legitimate activities, even while incarcerated. Finally, those
convicted of conducting the most destructive attacks should receive
the harshest punishments.
Although the law should encourage movement toward the white
hat model, some activity that is currently illegal may be necessary if
society is to maximize the benefit from cybercrime. A possible objec-
tion to recognizing the benefits of cybercrime is that organizations
could instead rely on white hats to test their security; white hats would
offer comparable information while operating transparently, responsi-
bly, and without causing damage. This approach clearly offers advan-
tages, but to the extent that the United States has reason to fear a truly
catastrophic attack, white hats must be only one part of a broader
strategy. White hats cannot ethically invade the computer systems of
users who have not invited them to do so, meaning that they can pro-
vide only the first of the benefits enumerated in section III.A — un-
veiling of security holes.73 The very users whose systems are most at
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
70 Frontline, Are Hackers Outlaws or Watchdogs?, http://www.pbs.org/wgbh/pages/frontline/
shows/hackers/whoare/outlaws.html (last visited May 13, 2006) (interview with Robert Steele).
71 Id.
72 Cooperation on some level already exists. Some virus writers claim that upon finishing a
virus, they immediately e-mail a copy of it to antivirus companies. See Thompson, supra note 23,
at 72. They thus claim that “their virus-writing strengthens the ‘immune system’ of the Internet.”
Id.
73 Judge Posner argues that malicious hackers should be given harsh sentences, noting that if
they are deterred, “they will become lawful computer programmers — perhaps specializing in
making computers more secure against viruses!” POSNER, supra note 27, at 244. He fails to real-
2458 HARVARD LAW REVIEW [Vol. 119:2442
risk of being hijacked for nefarious purposes — the most negligent or
ignorant users — are the ones least likely to invite a white hat to do a
security audit.74
Cybercrime policy must also take into account the social dynamic
of the hacker community. Alienating the hacker community by pro-
viding insufficient safe harbors and dealing with hackers in an insensi-
tive or heavy-handed manner threatens security. Angry or disillu-
sioned hackers may disclose vulnerabilities irresponsibly, refuse to help
create patches, or even engage in attacks themselves. Others may
leave the business altogether. Ensuring that U.S. security expertise is
on the cutting edge requires preserving an adversarial but respectful
dynamic between hackers, engineers, and law enforcement. Instead of
taking a hard-line approach with hackers working at what are now
considered the bounds of legitimate behavior, the law should provide
them with greater freedom and incentives to cooperate in the quest for
a more secure information infrastructure.
To encourage cooperation from hackers, corporations and govern-
ment officials must take a softer approach. Existing law could be
amended or interpreted to allow hackers greater freedom to test sys-
tems for security vulnerabilities. For example, at least one court has
held that a port scan — a method for finding security weaknesses that
does not involve any actual breach of security — was not actionable
under state or federal law partly because the costs of investigating the
scan did not fit within the statutory damage definition.75
Indeed, although punishment can be optimized to encourage bene-
ficial cybercrime, rewards may also entice hackers to help secure the
information infrastructure. Cash incentives could encourage some
hackers to discontinue harmful activity and instead provide informa-
tion and guidance about the security vulnerabilities they have been
exploiting.76 Statutory safeguards against prosecution for past crimes
could encourage hackers to come forward. Alternatively, a system for
anonymous information sharing or even informal use of informants
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
ize, however, the possibility that “black hat” hackers can provide benefits that white hat hackers
cannot. Judge Posner also elides the difficulty in drawing the line that defines legal and illegal
hacking activity.
74 Although the most important targets, such as government, military, and corporate users, are
likely to have professional security staff, hackers often launch attacks against these targets by us-
ing ordinary, privately owned personal computers that may not receive sufficient attention from
their owners. See supra p. 2444.
75 See Moulton v. VC3, No. 1:00CV434-TWT, 2000 WL 33310901, at *6 (N.D. Ga. Nov. 7,
2000).
76 Many hackers generate no income from their activities, and of those who do, at least some
could be swayed by modest cash rewards. See Brian Krebs, Invasion of the Computer Snatchers,
WASH. POST, Feb. 19, 2006 (Magazine), at 10, 12 (describing a hacker employed for only a mod-
erate salary).
2006] IMMUNIZING THE INTERNET 2459
could be encouraged. Any such effort, however, must be sensitive to a
hacker subculture that may take pride in defying authority.
Hackers should also be given incentives to reveal the security vul-
nerabilities they find in a responsible manner. In many cases, hackers
simply want recognition for their discoveries,77 which they might oth-
erwise get only by publicizing a flaw before a patch is available. In a
promising sign, the data networking vendor 3Com recently created a
“Zero Day Initiative,” which encourages responsible disclosure of secu-
rity flaws by promising hackers who keep flaws confidential that they
will be recognized after the flaw has been fixed.78
The government and the private sector should invite hackers to
help conduct security exercises. Security experts often engage in “Red
Teaming,” in which a team simulates an attack on a specified target.
The purpose of the exercise is to identify system vulnerabilities and the
methods by which an enemy is likely to exploit them. The government
has taken a few steps in this direction;79 such programs could be ex-
panded to include more realistic situations by inviting hackers to think
like the enemy and attempt attacks on a designated target.80 Success-
ful participants should be rewarded with recognition, money, or both.
Creative punishment could provide benefits beyond simple deter-
rence and incapacitation. Even if a hacker is captured and prosecuted
only long after the exploited vulnerability has been patched, the
hacker may be able to provide valuable information about related
vulnerabilities.81 Federal prosecutors and judges, however, have little
discretion to induce such cooperation.82 In other words, the justice
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
77 See John Walko, 3Com Initiative Sets the Clock Back on Zero Day Security Attacks, EE
TIMES, July 25, 2005, http://www.eetimes.com/showArticle.jhtml?articleID=166402117.
78 Id.; 3Com, Zero Day Initiative, http://www.zerodayinitiative.com (last visited May 13,
2006).
79 See Michael Arnone, DHS To Run Cybersecurity Exercise, FCW.COM, Jan. 31, 2006,
http://www.fcw.com/article92160-01-31-06-Web&RSS=yes#related; ‘Cyber Storm’ Tests US De-
fences, BBC NEWS, Feb. 12, 2006, http://news.bbc.co.uk/1/hi/world/americas/4706316.stm.
80 See, e.g., SANS Inst., SANS Network Security 2002, SANS 9th ID-Net, http://www.
sans.org/NS2002/idnet.php (last visited May 13, 2006) (describing a hacking competition in which
“those who have done the most damage [to a designated network] win”).
81 For example, Microsoft software has recently been affected by a string of attacks exploiting
flaws related to its Windows Meta File (WMF) technology. Microsoft issued a patch for the origi-
nal security hole, but the patch did not fix vulnerabilities in other software that relied on WMF.
A few weeks later, Microsoft issued a warning about a flaw in its web browser related to the
original WMF flaw. Elizabeth Millard, Microsoft Warns of New WMF Vulnerability,
NEWSFACTOR MAG. ONLINE, Feb. 8, 2006, http://www.newsfactor.com/story.xhtml?
story_id=41503. If the person who discovered the flaw had initiated the first attack and was
caught, he would probably have been able to help Microsoft ferret out other vulnerabilities re-
lated to WMF.
82 Department of Justice policy generally requires prosecutors to seek sentences within the
Guidelines, see Memorandum from James B. Comey, Deputy Attorney Gen., U.S. Dep’t of Justice,
to All Federal Prosecutors (Jan. 28, 2005), available at http://sentencing.typepad.com/
sentencing_law_and_policy/files/dag_jan_28_comey_memo_on_booker.pdf, which allow for de-
2460 HARVARD LAW REVIEW [Vol. 119:2442
system operates on a narrow view of punishment’s purposes that does
not take into account the broader goal of creating a more secure
infrastructure.83
The reality is that the United States is now moving toward a re-
gime in which the very act of disclosing information on security vul-
nerabilities is criminal. Although cases of legitimate security consult-
ants being prosecuted for informing users of security holes remain
anecdotal,84 recent legislation appears to be based on the naïve belief
that decreasing transparency and driving hackers into the criminal
fringe will increase security. Cases under the Digital Millennium
Copyright Act85 (DMCA), which criminalizes the development and dis-
tribution of tools for circumventing copyright protection, may indicate
how the government and corporations will approach other security-
related issues.
The first person indicted under the DMCA’s anticircumvention
provision was a Russian programmer named Dimitry Sklyarov, who
had made available software that could circumvent copyright protec-
tion in Adobe eBooks.86 Sklyarov was arrested when he came to the
United States to present his research on eBook security flaws at the
DEF CON computer security conference.87 His software exploited the
fact that several vendors selling eBook encryption software used “ludi-
crously weak” encryption methods.88 One vendor used a method
called rot13 — replacement of each letter with the letter thirteen places
down the alphabet — that is “often used as the canonical example of
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
partures only when the defendant has assisted in the investigation of another person who has
committed an offense, U.S. SENTENCING GUIDELINES MANUAL § 5K1.1 (2005), or in the “ex-
ceptional case” of relevant circumstances not identified in the Guidelines, id. §§ 5K2.0(a)(2)(B),
5K2.0 cmt. 3(A)(ii).
83 Because part of the allure of hacking may be its illegal nature, however, legitimizing more
behavior may push some hackers toward even more destructive activity. Therefore, to the extent
hackers relish the criminal nature of their activity, it may be necessary to criminalize some benefi-
cial hacking. At the same time, it seems intuitive that hackers do not desire punishment but sim-
ply the challenge of evading capture; therefore, enforcement efforts might be kept high even as
punishment is lowered.
84 See, e.g., John Leyden, Ethical Hacker Faces War Driving Charges, REGISTER, July 26,
2002, http://www.theregister.co.uk/2002/07/26/ethical_hacker_faces_war_driving; see also Nat’l
Ass’n of Criminal Def. Lawyers et al., Comments on the Cyber Security Enhancement Act of
2002, at 8–9 (2002), available at http://cyberlaw.stanford.edu/about/cases/1030%20Comments%
202-19-03.pdf.
85 17 U.S.C. § 1201(b)(1) (2000).
86 Press Release, U.S. Dep’t of Justice, First Indictment Under Digital Millennium Copyright
Act Returned Against Russian National, Company, in San Jose, California (Aug. 28, 2001),
http://www.cybercrime.gov/Sklyarovindictment.htm.
87 Elec. Frontier Found., US v. ElcomSoft & Sklyarov FAQ, http://www.eff.org/IP/DMCA/
US_v_Elcomsoft/us_v_elcomsoft_faq.html (last visited May 13, 2006).
88 Bruce Perens, Dimitry Sklyarov: Enemy or Friend?, ZDNET NEWS, Aug. 1, 2001,
http://news.zdnet.com/2100-9595_22-530420.html.
2006] IMMUNIZING THE INTERNET 2461
weak encryption.”89 In effect, Sklyarov had demonstrated to users of
eBook encryption software that their books were protected by an algo-
rithm that the average elementary school student could crack. And
those users probably would have preferred to know sooner rather than
later that their documents were not secure. Sklyarov’s actions can
hardly be considered detrimental to society — in fact, even Adobe,
which had supported the indictment, later called for his release.90
Although Sklyarov was prosecuted not for simple disclosure of se-
curity holes but for trafficking in tools that exploit the holes, the dis-
tinction is blurry. When security holes such as the ones in the eBooks
are so easy to exploit, simple disclosure of the holes guarantees that
circumvention tools will be produced in a matter of minutes.91 Even
complex flaws can be exploited quickly, as shown by zero-day exploits.
Despite the fact that there does not appear to be a trend of similar
cases prosecuted under the DMCA,92 even a single case can produce a
chilling effect on security research. Finally, even assuming no such
chilling effect exists, the slothful, disrespectful, or even hostile way in
which some corporations handle reports of vulnerabilities can alienate
the hacker community.93
C. Getting Users in Line
Finally, an effective cybercrime policy must spread information and
incentivize users to adopt stronger security precautions. As discussed
above, devastating attacks can be launched using well-known security
holes because of user negligence in patching systems. Securing these
systems is difficult because their owners are often not significantly af-
fected and are scattered around the world. Public awareness programs
and possibly even civil sanctions, bolstered by international coopera-
tion, should be used to shut down networks of hijacked computers and
to prevent new ones from being created.
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
89 Wikipedia, ROT13, http://en.wikipedia.org/wiki/ROT13 (last visited May 13, 2006).
90 Press Release, Elec. Frontier Found. & Adobe Sys. Inc., Adobe, Electronic Frontier Founda-
tion Call for Release of Russian Programmer (July 23, 2001), http://www.eff.org/IP/
DMCA/US_v_Elcomsoft/20010723_eff_adobe_sklyarov_pr.html. The United States later released
Sklyarov in exchange for his testimony in the prosecution of his former employer. Press Release,
U.S. Dep’t of Justice, Russian National Enters into Agreement with the United States on First
Digital Millennium Copyright Act Case (Dec. 13, 2001), http://www.cybercrime.gov/sklyarov
Agree.htm.
91 Cf. Thompson, supra note 23, at 30–31 (describing virus writers who publish their work on
websites and allow others to modify and release them).
92 See U.S. Dep’t of Justice, Intellectual Property Cases, http://www.cybercrime.gov/
ipcases.htm (last visited May 13, 2006).
93 See, e.g., Robert Lemos, Oracle in War of Words with Security Researcher, REGISTER, Jan.
26, 2006, http://www.theregister.co.uk/2006/01/26/security_researcher_versus_oracle (describing
Oracle’s criticism of a researcher’s disclosure of a vulnerability before a fix was available and not-
ing that Oracle had previously taken more than 800 days to fix certain flaws).
2462 HARVARD LAW REVIEW [Vol. 119:2442
Government agencies have made small steps toward raising public
awareness about computer security, but some of their attempts border
on the comical. The FTC distributes security information through its
website and has formed partnerships with other government agencies
and the private sector; it also has a mascot named Dewie the e-Turtle
to help “promote a culture of security.”94 The Department of Home-
land Security promotes educational programs from the grade school
through university levels and has a National Cyber Alert System to
distribute information to computer users; its awareness programs in-
clude encouraging Americans to “review and improve their cyber
readiness” during Daylight Savings Time.95
Something more threatening than a friendly e-Turtle, however, may
be necessary to raise awareness and convince users to take responsibil-
ity for their own machines. Professor Michael Rustad argues that
computer system operators could be held liable to third parties for
permitting hackers to invade their systems.96 In the context of botnets,
however, it would be administratively difficult to impose liability on
thousands of home users. To avoid that problem, Professors Doug
Lichtman and Eric Posner propose that Internet Service Providers
(ISPs) should be held accountable when their subscribers originate or
propagate malicious code.97 ISPs, they argue, are “in a good position
to reduce the number and severity of bad acts online” and should be
encouraged to do their part in responding to cyberattacks.98
The global nature of the Internet means that even if users in the
United States start taking effective security measures, computers
abroad could still be used in an attack on a U.S. target. Therefore, in-
ternational cooperation is crucial to ensuring the integrity of the Inter-
net. The Convention on Cybercrime99 (which the United States has
signed but not ratified100) provides for international cooperation in
prosecuting cybercrime but makes no provision for cooperation in se-
curing networks.101 Informal cooperation can be used to spread public
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
94 Protecting Our Nation’s Cyber Space: Educational Awareness for the Cyber Citizen: Hearing
Before the H. Subcomm. on Technology, Information Policy, Intergovernmental Relations and the
Census, 108th Cong. 12–13 (2004) (statement of FTC Comm’r Orson Swindle).
95 Id. at 34, 38 (statement of Amit Yoran, Director, National Cyber Security Division, U.S.
Department of Homeland Security).
96 Rustad, supra note 23, at 107–13.
97 See Doug Lichtman & Eric A. Posner, Holding Internet Service Providers Accountable, in
THE LAW AND ECONOMICS OF CYBERSECURITY, supra note 30, at 221, 222.
98 Id. at 223–24.
99 Opened for signature Nov. 23, 2001, available at http://conventions.coe.int/Treaty/en/
Treaties/Html/185.htm.
100 See Council of Europe, Convention on Cybercrime, CETS No.: 185, http://conventions.coe.
int/Treaty/Commun/ChercheSig.asp?NT=185&CM=8&DF=4/8/2006&CL=ENG (last visited May
13, 2006).
101 See Convention on Cybercrime, supra note 99, arts. 23–35.
2006] IMMUNIZING THE INTERNET 2463
education programs transnationally; however, a formal agreement may
be necessary to extend tort liability for users and ISPs across borders.
IV. CONCLUSION
The government will likely increase its cybercrime enforcement ef-
forts. The results will fall between two extremes: a world in which
law enforcement constantly lags behind cybercriminals, and a world in
which the government’s enforcement operations are so ruthless that
hackers are cowed into submission. This Note offers an approach that
will prevent the United States from straying too close to either ex-
treme. The goal should not be to eliminate cybercrime (a futile en-
deavor), nor should it be to let cybercrime run rampant, relying on us-
ers to protect themselves. The goal should be to secure the
information infrastructure by working with industry and Internet us-
ers and by enlisting hackers on the side of greater security. Doing so
requires some baseline level of cybercrime to keep prevention efforts
active and alert.
One might argue that the approach this Note describes places too
much emphasis on regulation via code, when it should be merely part
of a multipronged effort also involving law, markets, and social norms.
Professor Lawrence Lessig asserts that “[t]he optimal protection for
spaces in cyberspace is a mix between public law and private fences.
The question to ask in determining the mix is which protection, on the
margin, costs less.”102 This Note, however, does not argue that public
law should be discarded in favor of private fences. Instead, it recog-
nizes that the coercive effect of public law correlates inversely with the
quality of private fences: the more the law deters noncatastrophic cy-
bercrime or otherwise constrains the actions of hackers, the lower the
quality of the fences built to keep them out. And that is when the at-
tacker bent on catastrophe — and unlikely to be significantly affected
by market forces or social norms — is bound to strike, with devastat-
ing effect.
Cybercrime is different from other crime. It is potentially far more
dangerous than most other crime, but that danger does not justify in-
creasing punishment across the board. On the contrary, some types of
cybercrime are beneficial, and those people operating on the fringe of
legitimate hacking activity are an important resource in securing the
information infrastructure against catastrophic attacks. Finally, pre-
vention — strengthening the Internet’s immune system — is the most
powerful defense available. Code takes precedence over law,103 not
because it can, but because it must.
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
102 See LESSIG, supra note 4, at 123.
103 See id. at 53.