The Curious Case of Gary McKinnon Gary McKinnon is a citizen of the United Kingdom and was born on 10 February 1966. While in London between 2001 - 2002, McKinnon hacked into the U.S. military and NASA computers using the alias Solo causing $800,000 in damages (Campbell, 2014). While in the systems, McKinnon deleted vital files from the operating systems, which ultimately shutdown approximately 2,000 computers on the U.S. Army and Navy networks. In 2002, the UK National Hi-Tech Crime Unit (NHTCU) interviewed McKinnon and his computer was seized. During the interview, he acknowledged accessing the systems, but stated he was gathering information about UFOs because the government was hiding pertinent facts. Additionally, McKinnon was indicted by a federal grand jury in the U.S. and potentially faced a maximum sentence of 70 years in confinement; however, he was not extradited because of a controversy involving jurisdiction , extradition laws and penalties for cyber crime. Furthermore, the Director of Public Prosecutions (DPP) refused to conduct a trial in the UK because a bulk of the evidence was located in the US and McKinnon’s actions were against the US and its interests (Arnell & Reid, 2009).

In 2008, McKinnon was medically diagnosed with Asperger’s Syndrome, a form of autism, and having clinical depression. After being diagnosed, the political parties within the UK were divided because the main topic of discussion was McKinnon’s human rights versus his criminal behavior (Mackenzie & Watts, 2010). Even though some called McKinnon’s condition a trick and a way for him to avoid extradition, others felt the UK government was being insensitive and should have done more because various reports had been released indicating McKinnon was susceptible to commit suicide if he was sent to a U.S. prison. As a result, in 2009, Theresa May, Home Secretary, informed Parliament that due to McKinnon’s illness and advice issued by legal and medical professionals she would withdraw the extradition order because of his vulnerability and it being considered a human rights violation (Campbell, 2014). Additionally, if McKinnon was to be tried in a court within the UK, he should be tried on lesser charges to protect his mental health. This decision highlighted the inconsistencies between the US and UK extradition treaty, in which an extradition decision was not levied until ten years after the security breech. As a result, the US and UK developed similar laws regarding cyber crimes establishing precedence for other countries. The current extradition treaties between the US and UK allow both countries to receive extradition requests, arrest the suspect, determine the lawfulness of the request and prove reasonable suspicion.

The importance of cyber security has increased since the 1970s and a lot of adversaries are looking for easy routes to conduct cyber attacks. To prevent future cyber attacks, companies must be able to assess the environment for threats, protect the network and servers, and monitor the environment for improvement (Dong, Han, Guo, & Xie, 2015). To ensure a company’s electronic communications are receiving the appropriate amount of security, companies should invest in the information technology (IT) department. The IT department is responsible for identifying important computer and digital assets, conducting reviews, validating testing, assessing potential threats and vulnerabilities, performing risk assessments and maintaining the day to day security program. Once the IT department has implemented a security program, they must employ operational security controls in which increase awareness through training, perform maintenance and incident response and media protection. Afterwards, the IT department must develop methods to ensure system and information integrity. If the IT department does not have process to monitor the quality of the network, the network will be vulnerable. Additionally, IT departments should conduct a risk assessment and develop policies that control what types of devices that can be connected to the network with appropriate approval level from management (Dong, Han, Guo, & Xie, 2015). While everything can be essentially found while browsing the Internet, IT departments should take appropriate steps to protect the network from risk of attack from viruses or external attacks by utilizing firewalls. Even though firewalls offer some support, they should never be on the only defense; therefore, authentication techniques must be employed. While focusing on internal infrastructure, companies should employ anti-virus software and ensure it is updated on a regular basis with the latest virus and hacker information. IT departments should established applications and conduct exercises to test the security measures. Lastly, once security procedures have been established and disseminated to all employees, IT specialist should regularly review server logs for attacks. If an attack is identified during the review, procedures must be implemented to determine which systems were impacted and the method in which the system was compromised. An effective cyber security program will not only enhance the overall security of the system and company, but will provide a level of risk management can accept.

Cyber crime has increased throughout the years and it is not isolated to a single type of individual. As technology evolves, it is imperative governments are communicating and establish similar laws to punish violators to prevent jurisidiction issues. The potential difficulties of investigating a case from abroad should not be underestimated and the following things should be considered: time, logistics associated with transferring or transporting evidence, witness availability, and the need to fully comply with another governments policies regarding disclosure. Furthermore, companies have to be more proactive in securing their network and ensuring the information is released to personnel with a valid need to know. When companies fail to secure their network, they are creating incidents in which critical information may be used for alternative purposes other than what was designed.

References

Arnell, P., & Reid, A. (2009). Hackers Beware: The Cautionary Story of Gary McKinnon. Information and Communications Technology Law , 18 (1), 1-12.

Campbell, D. (2014, July 31). Hacker Warned Over Visiting Ill Father in Glasgow Over Possible Extradition Risk. Retrieved March 13, 2015, from The Guardian: http://www.theguardian.com/world/2014/jul/31/gary-mckinnon-hacking-ill-father-glasgow-extradition-us

Dong, P., Han, Y., Guo, X., & Xie, F. (2015). A Systematic Review of Studies on Cyber Physical System Security. International Journal of Security and Its Applications , 9 (1), 155-164.

Mackenzie, R., & Watts, J. (2010, April). Injustice and Disabilities: The Case Against the Extradition of Gary McKinnon to the USA. Tizard Learning Disability Review , 15 (2), pp. 45-51.