Malicious Code and the Law


The next section will attempt to summarize the legal implications of writing and distributing malicious mobile code within the boundaries of the United States. I have no formal training as a lawyer, and this section is included here only as a summarization of my understanding. Please consult legal counsel before relying on my advice.

“There ought to be a law!” At least that’s what you should be thinking as you read about all the malicious code attacks. Well, there are laws that make causing intentional damage using malicious mobile code a criminal act. If you write or distribute rogue code, which causes damage to someone else’s computer system, you can be charged with breaking the law. The hard part for the security expert is tracking down who wrote and distributed the code, and proving malicious intent. And to be truthful, there is so much hacking going on and MMC being distributed every second of every day, no law enforcement group could begin to investigate even a small part of the cases.

But as the Melissa virus author, David L. Smith, can tell you, if the malicious mobile attack gets enough media attention and the law officials can catch the perpetrator, he will go to jail. The 31-year-old New Jersey macro virus creator was arrested on April 1, 1999 and charged with several federal and state crimes. He was released on a $100,000 bond and accepted a plea agreement in court. He was found guilty and faced up to 10 years in prison and fines of up to $150,000. FBI officials used AOL records, phone records, and a “hidden” identification code embedded in every MS Word document to trace the virus’s origination to Smith’s PC. When Smith knew the FBI was on to him, he destroyed the PC he wrote the virus on. That tactic apparently didn’t stop law enforcement officials from collecting enough evidence.


Christopher Pile (a.k.a. the Black Baron) became the first person arrested in the U.K. for writing computer viruses. The author of the Pathogen , Queeg , and Smeg viruses, Pile plead guilty to 11 charges in May 1995 and was sentenced to 18 months in prison under the U.K.’s Computer Misuse Act of 1990.

The FBI established the National Infrastructure Protection Center ( in 1998. The NIPC’s mission is to “serve as the government’s focal point for threat assessment, warning, investigation, and response to threats or attacks against our nation’s critical infrastructures.” The Internet and our nation of computer systems are considered a critical infrastructure. The NIPC investigates major hacking threats and coordinates activities between federal, state, and local law officials.

In the U.S., United States Code, Title 18 ( defines the federal crimes, court systems, and punishments of the United States. It has been amended many times to include computer-related crime. The 1994 Federal Computer Abuse Act (18 U.S.C. Sec. 1030) outlaws the deliberate “transmission of a program, information, code, or command and as a result of such conduct intentionally causes damage without authorization to a protected computer” (18 U.S.C. Sec 1030(a)(5)(A).

Under the 1994 Federal Computer Abuse Act, hackers found guilty of causing damage by transmitting malicious mobile code will probably be sentenced to some jail time. For cases where intent cannot be established, but “reckless disregard” can, there is a fine and a jail sentence not to exceed one year. This is where most rogue code creators and spreaders would probably be liable. For those cases where harmful intent can be proven, it can be a fine plus 10 years in prison. The act specifically allows civil actions against malicious code writers even if they are found innocent of criminal charges.

Under the Act, even writers of malicious code programs that do not cause damage can be found guilty, as long as the “recovery damage” exceeds $1,000. Recovery damage includes all the labor and expenses necessary to clean up from a malicious code attack. Not only are the direct costs of the cleanup considered, but any potential monetary loss is included. Proving $1,000 of damage is not hard to do. In the case of the Melissa virus, and other widespread malicious code, damages were estimated in the tens to hundreds of millions of dollars.

Each state has its own computer laws ( that can be applied toward computer crime, regardless of whether it falls under the control of the federal statute. The Melissa virus author was charged under both federal and state laws, and laws of both jurisdictions explicitly allow civil judgments, as well. The State of Pennsylvania recently signed into law a bill that calls for prison terms up to 7 years, a $15,000 fine, and restitution, for those convicted of intentionally spreading a computer virus.

Unfortunately, the reality is that hundreds of new malicious code programs are being created and spread each month, and almost none lead to criminal prosecution. For instance, the Washington Post reported that the Department of Defense suffered more than 22,000 electronic attacks (such as, probes, scans, viruses, Trojans, etc.) in 1999. About 3 percent caused temporary shutdowns or damage. Only in a handful resulted in any investigations, much less criminal prosecutions. Only in the biggest cases where attacks catch large amounts of media attention or significantly threaten our nation’s computer infrastructure, will the authorities do anything. For the foreseeable future, most malicious code hacking will continue with impunity.

Get Malicious Mobile Code now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.