It’s not unheard of for government officials to lose their jobs following high-profile breaches. For instance, when the U.S. Office of Personnel Management was breached in 2015, the OPM director Katherine Archuleta and chief information officer Donna Seymour later resigned their positions.
But it’s something else entirely for employees who did not deliberately help intruders breach their employers’ computer systems to be charged with any kind of crime purely because of security negligence.
That’s exactly what happened in late November, when Albanian prosecutors requested that five government IT officials in the public administration department be placed under house arrest for failing to update the antivirus software on government computers. The Albanian IT officials are reportedly accused of “abuse of post,” which can carry penalties of up to seven years in prison, according to the Associated Press. It raises an important question: Does prison time for mistakes incentivize good security practices, or just disincentivize anyone from entering the field in the first place?
In July, Albania was hit by a cyberattack that took down many of the government’s websites and online services. The country’s National Agency for Information Society, known as AKSHI, announced it had been forced to shut down several government computer systems until the attacks could be “neutralized.” The U.S. government, Microsoft, and NATO all supported Albania’s efforts to investigate and remediate the attack in the following months.
As a result of that investigation, both the Albanian and the U.S. governments came away confident they knew whom to blame for the attack: Iran. In September, the Albanian government severed diplomatic ties with Iran over the attack and ordered staff at the Iranian embassy to leave the country, while the United States issued a public statement attributing the cyberattack to Iran and voicing support for Albania. Days later, Albania blamed Iran for yet another cyberattack that forced the country to take down its online Total Information Management System for logging people entering and leaving the country.
That public attribution and diplomatic retribution, as well as the follow-up cyberattack, seemed likely to mark the end of Albania’s response to Iran’s online activity, given how few state-sponsored cyberattacks garner even that much public response. Having so decisively attributed a cyberattack to another country, few governments go beyond that attribution to blame other individuals within their own government for what happened.
But then the house arrests happened.
The prosecutor’s office said, “If these employees would have acted in accordance with [legal guidelines] … by requesting information and updating with the latest antiviruses of the system, then the virus that first entered the administration would have been discovered in their systems to make it possible to neutralise it.”
According to an advisory issued by the Justice Department and the Department of Homeland Security, the intruders’ initial access to the Albanian computer systems came by exploiting a vulnerability in Microsoft SharePoint (a sharing platform for storing and editing documents collaboratively) that was first reported in 2019. That vulnerability was patched in 2019, well before the initial intrusion in Albania, which reportedly occurred 14 months before the attacks in July 2022, so roughly around May 2021. Given that the patches were issued more than two years before the Iranian hackers exploited the vulnerability to compromise Albanian systems, it makes sense for the Albanian government to feel that there was a failure to download updates and appropriately patch their systems that enabled the attack.
But that doesn’t take away from the fact that it is singularly unusual to see employees—whether government or private sector—face potential prison time for failing to download software updates in a timely manner.
On the one hand, those sorts of penalties could be seen as a triumph of taking security seriously and creating incentives for other employees to really pay attention to what they’re doing. After all, people would probably take much more care over downloading software updates if the penalty for not doing so is prison.
But even without knowing all the details of what exactly these employees did or did not do, I’m inclined to think this seems like overkill. After all, there are many reasons why people fail to install updates or new antivirus programs promptly, including concerns that the new updates may break existing systems and software. That’s not to say there shouldn’t be consequences for failing to install software updates and take appropriate IT security precautions—but at worst, those consequences should probably be losing your job. Unless the Albanian IT officers deliberately did not install the Microsoft updates in order to allow Iran to compromise their systems, it seems like a major overreaction to even consider sending them to prison. And it’s not an overreaction that’s designed to get security executives to take their responsibilities more seriously or to encourage more smart people to work in the field, but rather one designed to dissuade anyone from taking on any responsibility related to cybersecurity.
In October, former Uber Chief Security Officer Joseph Sullivan was convicted of covering up a data breach at Uber in 2016 and is now awaiting sentencing for charges that could carry penalties of up to eight years in prison. The charges against Sullivan are very different from the ones facing the Albanian IT workers, of course, but both are a reminder of how few nuanced and effective levers we seem to have found to incentivize organizations and employees to take cybersecurity seriously and how far the pendulum seems to have swung from individuals facing no consequences for security failures to them now, at least occasionally, facing disproportionately serious ones.
I’m someone who has argued before that there should be more significant penalties for cybersecurity breaches, that without serious fines and consequences organizations will never invest heavily in security, and I still basically believe that. I even think it’s often—though not always—appropriate for security executives and officials to lose their jobs following significant misjudgments and mistakes that enabled major breaches. But I do wonder whether the focus on punishing individuals, rather than organizations, has gone a little bit too far when those individuals start facing prison time.
Above all, the penalties for computer security failings and breaches should be designed to prevent future such mistakes from being made in the future. But it’s far from clear that imprisoning (even under house arrest) the people who failed to download software updates or misled regulators about data breaches will have that effect. In fact, if IT workers in Albania (or elsewhere) decide that they have to immediately install security patches for fear of otherwise being sent to prison, that could actually lead to other problems in which those patches are being downloaded without the necessary testing and due diligence required to ensure they won’t break other things. We want the people making decisions about cybersecurity to be able to do so in a smart, thoughtful, careful way, rather than rushing to make decisions driven by fear. Most of all, we want the people making decisions about cybersecurity to be smart, thoughtful, and careful. And why would such people enter a field where a common mistake could lead to a prison sentence?
Future Tense is a partnership of Slate, New America, and Arizona State University that examines emerging technologies, public policy, and society.