The case of a journalist charged Thursday with aiding the hacker group Anonymous is sending up red flags in two camps: employers who must worry about security threats from disgruntled ex-workers; and a digital rights group that is finding troublesome parallels with the prosecution of the late Aaron Swartz.
Matthew Keys, an online social media editor for Reuters, is alleged to have helped members of the hacker collective break into the network of the Tribune Company, his former employer.
The DoJ has filed three charges against Keys. If convicted, he could face decades in prison and six-figure fines. He has been suspended with pay from Reuters.
“I don’t think we want to make assumptions about this case until the facts are known, but certainly one would infer that these would seem to be actions by a disgruntled employee,” Mike Cavender, executive director of the Radio Television Digital News Association, told TechNewsWorld. “He hasn’t been convicted of anything as yet.”
Crime And Punishment
The Electronic Frontier Foundation, a digital rights group, has compared the case to that of Swartz, a cofounder of Reddit who committed suicide after being charged with 13 felony counts of fraud for breaking into and downloading several articles from an academic journal database. Swartz was facing a maximum of 35 years in prison and fines exceeding $1 million when his body was found in his Brooklyn apartment in mid-January.
“We’re worried that facing felony charges and a prison sentence — as well as the inherent pressures that come with that, as vividly illustrated in the Aaron Swartz case — can coerce defendants into taking plea agreements,” said EFF spokesperson Dave Maass.
The DoJ charged Keys in the Eastern District of California with one count each of conspiracy to transmit information to damage a protected computer, transmitting information to damage a protected computer, and attempted transmission of information to damage a protected computer.
The indictment alleges that in December 2010, Keys — who had been terminated from his job as a Web producer at KTXL, a TV station in Sacramento, Calif. — provided members of Anonymous with the login credentials for a server belonging to the station’s corporate parent, the Tribune Company.
Keys had allegedly identified himself on an Internet chat forum as a former employee of the Tribune Company and, after providing the login credentials, had allegedly encouraged the members of Anonymous to disrupt the website.
The indictment claims that at least one of the hackers used the credentials provided by Keys to hack into the Tribune Company server and deface the Web version of a news feature published by The Los Angeles Times.
Keys allegedly applauded the defacement, and later tried to regain access to the server for the hacker after being told that Tribune Company system administrators had locked out the intruder.
The Government’s Charges
Keys faces a total of 25 years in prison and fines totaling $750,000. The DoJ is citing the Computer Fraud and Abuse Act to prosecute Keys — the same law it used against Swartz.
“Here, and at the risk of oversimplifying a complex set of allegations, we’re talking about what seems like minor damage: Website vandalism that lasted 30 minutes,” Maass told TechNewsWorld. “If a prosecutor threatened a felony conviction and a prison sentence for someone who helped a graffiti tagger access private property, that would seem disproportionate.”
However, the cybersecurity executive order issued by President Obama in February to protect critical infrastructure classifies website defacement as a cyberthreat, Caitlin Hayden, spokesperson for the White House National Security Council has said. [*Correction – March 18, 2013]
Guarding Against Insider Threats
The other issue surrounding the Keys case involves possible security threats to businesses from current or former employees.
“Insider errors and malicious data theft are a bigger risk than external hacks,” Stu Sjouwerman, founder and CEO of KnowBe4, told TechNewsWorld. “Everyone in your company has access to your data.”
Keys’ employers “should have locked down his user name and password and should have changed any resources he had access credentials for,” he added. “When people leave, you deprovision them. If you have the infrastructure in place, that’s 10 minutes of work.”
Companies need to have a thorough security structure that tracks the levels of sensitive data and who has access to it, Sjouwerman said. “They should compartmentalize their data, make granular access controls and make sure nobody has access to data they shouldn’t have.”
*ECT News Network editor’s note – March 18, 2013: Our original published version of this story stated without attribution that “the cybersecurity executive order issued by President Obama in February to protect critical infrastructure classifies website defacement as a cyberthreat.” In fact, it was White House National Security Council spokesperson Caitlin Hayden who reportedly said that the order classifies website defacement as a cyberthreat.