The recent sentencing of a virus author in the US suggests that penalties for Internet crimes may be getting more severe. However, security experts say that changes to the law - and more convictions of virus writers and hackers - will be needed before punishment will be a sufficient deterrent to reduce risks to corporate systems.

Earlier this month, a US court sentenced David L Smith, the author of the Melissa virus, to 20 months in a federal prison. Smith had previously pleaded guilty to charges of computer theft and sending a damaging computer program, which caused over $80m of losses to businesses worldwide.

The sentence is a lot harsher than other penalties that have been handed down recently. In two separate cases last year, the author of the Kournikova virus, Jan de Wit, and hacker Raphael Gray, both of whom caused millions of pounds of damage to businesses, were sentenced to community service. They were sentenced in Holland and Wales respectively.

Antivirus experts welcomed the harsher penalty and said it could set a precedent for future sentencing. Graham Cluley, senior technology consultant at antivirus firm Sophos, commented, "The US authorities have given future computer crime cases a standard for sentencing. If you cause $80m of damage with a virus, you can expect a sentence of about 20 months."

Cluley added that this custodial sentence alone is unlikely to deter future virus writers. "We need regular cases of virus writers being apprehended and convicted to make any kind of impact on the youths typically behind them," he said. "That, I suspect, will send out a much stronger message than what has happened to David L Smith."

Prompter sentencing from the courts might also help to deter potential criminals. Smith first pleaded guilty at the end of 1999, but sentencing was delayed by more than two years. Cluley pointed out that since Smith's guilty plea, there have been several malicious worms much like Melissa. If the judge had awarded a tough penalty to Smith sooner, it might have discouraged the authors from releasing those malicious worms.

In Europe there seems to be inconsistency in sentencing virus writers. The lenient sentence for de Wit can be compared with an 18-month custodial sentence imposed by a UK court on Smeg virus author Christopher Pile in 1995. Mark Sunner, chief technology officer at managed email security provider MessageLabs, said the damage and destruction caused by computer crime should be reflected in heavier sentences. "It is vital that the UK justice system wakes up and is seen to deal with this most serious of problems," he added.

Aside from the possibility of tougher sentencing in courts, legislators are currently considering amendments to computer crime laws, to ensure that people causing problems such as denial-of-service (DoS) attacks can be properly punished. At the start of May, the UK government published a bill to amend the 1990 Computer Misuse Act (CMA). At present, the CMA covers computer-related offences such as "unauthorised access to computer material". However, because the 1990 act preceded the growth of the Internet, legislators did not consider DoS attacks and a legal loophole means that such attacks are not covered under legislation. If this bill is passed, the loophole would be closed.

Toby Ben, product manager at security company Preventon Technologies, said, "The CMA was an excellent step forward in fighting computer crime but, by the nature of the technology involved, computer crime advances [much] faster than statute." Ben added that if passed, the amendment would show that the UK intends to stamp out computer crime. "It shows that the UK is now taking these attacks seriously, and intends to start fighting back."

Have your say: contact IT Week