A Year Ago: Viruses: What punishment fits the crime?

Originally published Fri, 30 Apr 1999 07:54:17 GMT

Overkill or underpunished? A revelation on Thursday that a Taiwanese university had caught, and only lightly punished, the writer of the destructive CIH computer virus a year ago heated up the debate on what should be done to those who spread viruses.

Last April, the Tatung Institute of Technology identified senior Chen Ing-Hau as the writer of the CIH virus after several of its machines were damaged by the malignant code. However, Chen was not prosecuted, but merely reprimanded and given a demotion.

Contrast that to the alleged writer of the Melissa virus, David L. Smith. Caught at the beginning of April, Smith is looking at a maximum sentence of 40 years if convicted in New Jersey State Court. The immense differences in punishment illustrate a large rift in perceptions over the seriousness of computer viruses.

Smith's attorney says the United States needs to look before it leaps. "This simply demonstrates that what the state [of New Jersey] is attempting to do here is massive overkill," said Edward Borden, attorney at law firm Saul, Ewing, Remick & Saul, Smith's legal counsel. "There are many legal and policy issues that need to be resolved with respect to viruses first."

The New Jersey State District Attorney's Office doubts that Smith would get the maximum time if convicted, but defends the hard line it's taking in prosecuting the case. "If we didn't feel the arrest was warranted, we wouldn't have pursued it," said Rita Malley, spokeswoman for the district attorney.

Still, Melissa was essentially benign. CIH was deadly to some computers.

Melissa spread through Microsoft Corp.'s Outlook e-mail application by sending copies of itself to the top 50 entries in a user's address book. While it spread fast, overwhelming e-mail servers in a matter of hours, lasting damage was almost non-existent. In fact, Melissa may be a big reason why CIH didn't hit more computers the US and Europe. "The Melissa virus was a very valuable wake-up call, especially in the United States where a lot of companies are dependent on Outlook and Microsoft Exchange," said Dan Schrader, director of product marketing for anti-virus firm Trend Micro Inc. "In updating for the Melissa virus, most American companies unwittingly protected themselves against CIH."

It was a different story further abroad. According to government estimates, South Korea racked up at least 240,000 infected computers, while Turkey had 300,000 downed by the virus and China estimated 100,000.

While Melissa bogged down servers, CIH attacked the users' PCs. The virus spread slowly through executable files -- those with a .exe extension -- and then erupted all at once, reformatting hard drives and, in many cases, causing data loss. The virus is also known as Chernobyl, since the most common variant attacks only on April 26, the anniversary of that Soviet Union nuclear disaster.

Carey Nachenberg, chief scientist with antivirus software lab Symantec Antivirus Research Centre, stressed that, even if CIH causes more damage, Melissa affected U.S. businesses more -- and that, in his opinion, explains the pressure to punish the Melissa virus writer. "CIH obviously did a lot of damage across the world," said Nachenberg. "But to say that Melissa didn't do much damage is an understatement."

The book might not be closed on Taiwan's Chen, either. According to Associated Press, officials of the Bureau of Criminal Investigation in Taiwan said they would seek permission to question Chen.

Officials at the FBI computer crime squad in the US and the National Infrastructure Protection Centre would not comment on whether they intended to attempt to prosecute Chen.

Take me to the Melissa Virus special.