What justice should be served to Marcus Hutchins?
The twenty-something British security researcher, better known by his online alias “MalwareTech,” gained international acclaim when he stopped a globe-circling, business-crippling, North Korean-sprung cyberattack in 2017. Later that year, the United States arrested Hutchins at a Las Vegas airport and charged him with years earlier conspiring to create and sell login credential-stealing malware, dubbed Kronos, aimed at draining people’s bank accounts. Suddenly, the white hat hacker’s sterling reputation turned a shade of grey.
This week Hutchins pleaded guilty to two counts under the Computer Fraud and Abuse Act and the Wiretap Act, both of which carry maximum penalties of five years in prison and $250,000 in fines. (The government said it would dismiss other counts against Hutchins in exchange for his guilty plea.) In a statement posted to his blog, Hutchins wrote that he regretted his actions and accepted full responsibility for his mistakes. “Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes,” he said. “I will continue to devote my time to keeping people safe from malware attacks.”
Now as Hutchins faces sentencing, some commentators argue that he should be let off the hook. The New York Times‘ Sarah Jeong contends that Hutchins should be granted a pardon, given his apparently newfound moral sense and his role (temporarily) halting the so-called WannaCry cyberattack. “His conviction sends the wrong message about whether or not it pays to mend your ways and, when the moment comes, to do the right thing,” she writes.
I agree with this sentiment, but not with the conclusion. Hutchins’ good deed was, by his own admission, accidental. While investigating WannaCry’s code, he registered a web domain that, by a stroke of luck, sinkholed the attack. (Of course, had he not done so, it’s possible he would have continued to fly under the radar of law enforcement.)
While it’s true that Hutchins appeared to have turned over a new leaf by the time he inadvertently helped combat WannaCry, he should not get off scot-free. Hutchins’ transgressions caused real harm to innocent people. As my colleague Jeff John Roberts wrote in this column two years ago, “just because he stopped WannaCry doesn’t give him a free pass to commit bank fraud (if that’s what he did) any more than a heroic deed will excuse a gunman from robbing a convenience store.”
What’s fair then? The judge should, in my view, deliver a lenient sentencing that offers ample opportunity to earn reduced time through public service. There is a troubling shortage of cybersecurity expertise in the global workforce, and this researcher’s skills could be put to good use fighting crime. Hutchins, a smart person with unusual talents, did some exceedingly stupid things in his youth; if he has indeed changed his ways, let him prove his sincerity.