Last week, a German court issued a suspended sentence for the Mirai Botmaster Daniel Kaye. Kaye, a U.K. citizen, was responsible for the IoT botnet being launched in the fall of 2016. The Mirai bonnet was said to have knocked off more than 900,000 IoT devices before being shut down. Kaye now faces cybercrime charges in the UK.
Slap on the Wrist?
This appears to be quite the slap on the wrist. Although Kaye is not a German citizen, he still was arrested and charged there. The suspended sentence for a criminal is tantamount to a joke. This means he will serve no time for his crimes. Knocking 900,000 devices offline is one thing. The time and money it took companies and individuals to recover from this is another.
Victims Pay the Price
When my car was stolen 11 years ago it was eventually recovered by police when it was involved in a police chase. The four criminals inside were all arrested. When I got it back there was a bullet hole in the back and there had been heavy drug use inside the car. Extensive other damage had also occurred as part of its three day adventure. When I was told of the damage my first question was, do I have to take it back? The answer was sadly yes.
I of course had insurance so they paid for the repairs, less my deductible. Then when I went to sell it, they knew it was in an an accident and I lost value on the resale. The criminals who were in possession of my car did not have to pay the price for this. Only I suffered the financial loss for doing nothing more than being int he wrong place at the wrong time. The criminals were all released on suspended sentence.
I did everything I was supposed to do. I parked in the designated spot and locked my car. The reason my car was stolen was Chrysler cars have a flaw that makes them very easy to "boost". No one ever told me that when I purchase it. The criminals sought out Chrysler cars.
Who is Responsible?
This is similar to victims of software and hardware flaws. The victims always have to pay the price in the end. People purchase devices, and when the flaws are exploited, damages occur to someone. Companies and individuals do need to take the proper steps in securing their devices, but if they take reasonable measures to secure these things, who is responsible for the damages when they occur?
Software and hardware are produced daily and security is top of mind for some manufacturers, and not for others. There is definitely a cost benefit analysis that takes place.
If the proper security measures are taken, should the criminals who exploit them pay for the restitution? Or should the manufacturers have to pay back the victims for the loss?
I think these are interesting questions and it will be interesting what the courts do over the next few years. It is getting easier to track down cyber thieves so many more arrests will happen. Things like suspended sentences though had better not become the norm. Don't the courts understand Risk vs. Reward?