The Golden Cybersnitch

Why the feds should be lenient with hackers who become informants.

Hector Xavier Monsegur, aka Sabu, exits the U.S. District Court for the Southern District of New York in Lower Manhattan following his sentencing on May 27, 2014.
Hector Xavier Monsegur, aka Sabu, exits the U.S. District Court for the Southern District of New York in Lower Manhattan following his sentencing on May 27, 2014.

Photo by Brendan McDermid/Reuters

One of the most prominent cybercriminals of the past few years was permitted by a judge to walk free Tuesday—and thank goodness. Hector Xavier Monsegur, alias Sabu, was sentenced to seven months in prison (which he already served in 2012) and a year of probation instead of the 21 to 26 years of incarceration suggested by advisory federal sentencing guidelines for his crimes. He owes the significantly reduced sentence to the years following his 2011 arrest, when he served as an FBI informant. During that time he helped to prosecute several other cybercriminals, prevent hundreds of online attacks, and identify security vulnerabilities in critical infrastructure.

None of that negates the damage he did as a criminal, of course. As a co-founder of hacking group LulzSec, Monsegur has confessed to participating in attacks on the computer systems of Fox Television, PBS, Nintendo, Sony, the U.S. Senate, and more. “Monsegur and his co-conspirators indiscriminately targeted government agencies, private companies, and news media outlets,” wrote U.S. attorney Preet Bharara in a sentencing submission asking for leniency for Monsegur. He continues, “In many instances, the harms inflicted on these entities were significant, ranging from defacements of their websites to the exfiltration of personal identification information of customers or employees of the entities; the costs associated with repairing these attacks ran into the tens of millions of dollars.”

The estimated costs cited for cyberattacks are often fabricated from thin air—but whether his actions cost victims thousands or millions or billions of dollars, it’s clear enough, reading through Monsegur’s history that he broke the law again and again, sometimes to steal money, sometimes to steal car parts, sometimes just to cause trouble. And for all that, I’m deeply relieved he’s not going back to prison.

Not because I believe he has reformed (he may have—who knows?—but he would certainly not be the first cybercriminal to cooperate extensively with law enforcement and then return to crime). It’s not that I’m worried about whether he’s planning to obey the law in the future, or even whether he repaid his debt to society by providing assistance that Bharara estimates helped prevent “millions of dollars” of losses. (Incidentally, this number should look equally, if not more, suspicious than the estimate of the damage he caused—there is no meaningful cyber arithmetic being done here, just hand-waving intended to convey that this was someone who did some really bad things and was then really helpful.)

I’m glad Monsegur is a free man because we need his help. We need him and other cybercriminals to help educate law enforcement agencies, as well as the rest of us, about their skills and processes and techniques and mentality. We need them because it’s incredibly difficult to learn in school how to think like someone who’s good at breaking into protected computer systems. I should know—I’ve spent the better part of four years of graduate school trying.

Obviously, I haven’t been studying to become a master cybercriminal (if only). I research computer security from the defensive perspective, the perspective of someone who wants to figure out better ways to protect computer systems and thwart criminals like Monsegur. The problem is that to defend against those master criminals, I need to be able to see what they see when they look at those systems, to understand how they identify and exploit vulnerabilities. So, loath as I am to admit it, law enforcement needs him and his peers more than me and mine—because, at least for the time being, no one knows enough about computer security and cybercriminals to be able to teach what they know or train people to see what they see.

So I’m glad Monsegur got off because I hope it will encourage others to follow in his footsteps, to believe that if they work with law enforcement to share their expertise, they, too, can go free. And yes, I think there’s probably some risk that that mentality could encourage people to commit cybercrimes without fear of being punished. But I think that’s a risk worth taking—a risk that may cost millions (or billions or trillions) of dollars in the short term, as calculated by the U.S. attorney’s office’s foolproof algorithms, but will bring us much closer to being able to pin down the tactics and thought processes of successful cybercriminals so that we can teach and train the good guys to think like them.

In a New York Times profile of another famous cybercriminal-turned-informant, Albert Gonzalez, a woman who worked with Gonzalez in the Justice Department’s Computer Crime and Intellectual Property Section says of him: “Albert was an educator. … We in law enforcement had never encountered anything like [him]. We had to learn the language, we had to learn the characters, their goals, their techniques. Albert taught us all of that.” 

Informants are used by law enforcement across all sorts of crimes—not just computer-related ones—but people like Monsegur are especially valuable because they can do more than use their connections to bring in and help prosecute other criminals. Monsegur did indeed help catch and convict many of his co-conspirators, but, as Bharara writes, “the number of prosecutions to which Monsegur contributed only partially conveys the significance and utility of his cooperation.” Monsegur also used his information and expertise to help secure a U.S. water utility and a foreign energy company against potential cyberattacks, as well as thwart actual attacks on targets including the U.S. armed forces and Congress.

Why was he able to do this better than the professionals working for the U.S. government? Partly, probably, this is a function of temperament—the people who join the FBI (or go to graduate school with me, for that matter) may not be the most adept at seeing the world through the lens of someone who’s up for rule-breaking and is always looking for a way around any barrier. Partly, also, it’s a question of technical expertise—you can learn a lot about computers in school, but much of it is geared toward building and fixing things, rather than breaking them. And part of it, of course, is about experience and contacts and the things that cannot quite be captured in problem sets and textbooks, but can only be learned from actually trying to take down the Senate website.

The value of that experience is one of the reasons that there’s so much fluidity between the criminal and professional worlds in this field. The criminals make the best consultants, just like they make the best red teamers—the people you hire to attack your own networks and find the vulnerabilities before the bad guys can. Even Monsegur, before he turned to a life of crime, was at one point planning to open a security firm. And maybe he still will, if he’s not too busy hiding from the angry Anonymous hackers who want revenge for the information he provided to the FBI. Or maybe he’ll instead follow in Gonzalez’s footsteps and carry out even more ambitious crimes and computer attacks than before. And if he does, I hope he gets caught—and I hope he decides to help his captors all over again. Even if he doesn’t learn anything from his time as an informant, we certainly will.

This article is part of Future Tense, a collaboration among Arizona State University, the New America Foundation, and SlateFuture Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.