Q&A with David Schindler

Assistant U.S. attorney David Schindler has locked up some of the biggest names in hacking during his 10-year career in the federal prosecutor's office in Los Angeles, including Kevin Poulsen, Kevin Mitnick and Justin Petersen. He also won the conviction of former Arizona governor Fife Symington on bank fraud charges in 1997 (though a federal appeals court overturned the conviction).

This month, Schindler's leaving the prosecutor's office to join the law firm of Latham & Watkins, where he'll work on cases involving intellectual property and other computer-related issues.

The following is an edited transcript of ZDNN Senior Writer Lisa M. Bowman's recent interview with Schindler as he looks back at his decade of taking on hackers.

Q: Why are you leaving?

A: I've been prosecuting cases for over 10 years, and it's time for a change. I've had probably one of the best experiences I could've ever imagined having here as a prosecutor. I've prosecuted some great cases, worked with some fabulous agents, some terrific lawyers here, but it was time to do something different. It sort of got to that point where I realized I wanted some new challenges and a change of venue.

Q: Should hackers breathe a sigh of relief that you're leaving?

A: No, I think that's sort of a myth. The reality of the situation is there are very talented lawyers still here, some fabulous FBI agents, and the reality is though I may be gone, there will always be a fabulous team of prosecutors and agents who are doing the exact same work that I've done.

Q: Some people see hackers as just surly cyberpunks, not hardened criminals? What do you think about that?

'I think it would be natural to see an evolution in the numbers and types of computer crime cases.' -- David Schindler

A: This is a debate that's gone on for a long time. First of all, Mitnick, for example, is in his mid-30s. We've certainly seen cases of 15- or 16-year-olds up in their basement hacking away, the "Cheetos kids," as we used to refer to them. But the hackers today are a very different breed. These are people who are motivated by greed in some instances, sometimes motivated by more nefarious motivations, whether it's to harm a company or whether it's to harm a victim. For example, if I break in through your computer and download a copy of the proprietary manuscript or the proprietary formula that you've developed, you have every right to be concerned and society should be just as concerned.

Q: Do you think people are concerned about cybercrime?

A: As more and more people have computers, as more and more people have information that's important to them on computers, the norms and mores are starting to change.

Q: How does catching cyber criminals differ from catching people who commit crimes in the real world?

A: The biggest problem grows out of the fact that there is anonymity on the Net. If an intrusion appears to come from a certain person's account, chances are it's not coming from that person's account, but instead someone has compromised the account and is using that to launch a hack somewhere else. That's something we see in this arena and something that we factor into investigations, and ultimately the prosecution, of these cases.

Q: What are the differences between prosecuting computer-related cases and other cases?

A: First of all you need to have an understanding of the technology. Certainly, we're not experts. We're not going to sit down and program in FORTRAN and COBOL tomorrow. On the other hand, prosecutors and agents have done a pretty good job of getting up to speed and understanding the technology, understanding how it works. You need to have an appreciation for how these crimes take place. It's not like a bank robbery case, where someone walks in, holds out a gun, and everyone sees that person, knows who he is and can identify him in a lineup. Rather, there's a lot more circumstantial evidence that goes into these kinds of cases. That probably in and of itself is the most difficult issue. And it comes out of the anonymity that's out there on the Net.

Q: Some of the hackers you've prosecuted have served very long jail sentences. What do you think about jailing hackers?

A: Some of them have pasts. They're recidivists. In other words, they were hacking before; they've gotten into trouble before. They were given slaps on the wrist, treated more leniently. Hence, by the time they get back into the system, they have one or two or four convictions. The question of how much time they should spend in jail is a societal one. There are those who say the penalties are too harsh. There are some that say the penalties are too lenient. I think you have to take it on a case-by-case basis.

Q: What about prohibiting hackers from using computers during their parole?

A: You need to put it in the appropriate context. If you have someone who's convicted of drug offenses, part of what you do during their time of supervised release is to monitor and to make sure they're not taking drugs -- they're not reverting back to a life of crime if that's what got them into trouble in the first instance. I think society would be upset if during that period where these people are being supervised, the court didn't take appropriate steps to make sure they didn't revert right back to hacking or other computer crimes. The other thing you need to understand is that those restrictions are imposed during a time of supervised release, which is designed specifically to make sure that the defendant integrates back into society and is doing a good job of walking the straight and narrow.

Q: How do you determine damages in a hacking case?

A: There is a healthy debate over the question of damages. But you need to understand that we as prosecutors look at it from the perspective of the victim. If you have a company that's invested hundreds of million of dollars in proprietary software, then they discover that that proprietary software has been taken -- software that they may license for a million dollars a pop -- there's a real question of whether software that has been taken by somebody without permission should be valued at the $100 million it cost to develop it, or the million dollars that it would've cost the hacker if she or he had applied for a license from the company. Then there are the questions associated with catching the hacker, patching the holes into the system, additional system administrator time, the investigation into the intrusion. There's a wide array of damages or numbers that go into that computation.

Q: Will we see more computer crime in the future?

A: I think it's inevitable. As more and more people become reliant on computers, more and more companies engage in e-commerce, and more individuals are using computers at home, I think it would be natural to see an evolution in the numbers and types of computer crime cases. That's what we've seen in the last eight or nine years I've been involved in these kinds of cases.

Q: Can the legal system keep up with cybercrime?

A: I think the system's done a very good job of getting up to speed. Certainly there was potential five or six years ago for us to fall far behind the curve, but the DOJ, this office, and the FBI did a fabulous job of really trying to gear up and invest the resources, take the time to train the people so that we wouldn't be behind the curve.

Q: How are law firms responding?

A: Certainly you're seeing a lot of firms, and Latham in particular, looking to service clients who have e-commerce-related problems. Whether it's the theft of trade secrets, a client has developed a proprietary formula that gets stolen, or there's some sort of intrusion into their proprietary networks, more and more firms understand that they need to have the capability to do both the analysis -- in other words get in there and find out what happened -- as well as go after whoever it is that may have done the intrusion.

Q: Any chance that you'll be defending hackers in the future?

A: I suspect that having been a prosecutor all these years, there's not that many people in the hacking community who are that interested in retaining me, but I'll cross that bridge when I get to it.