So Gary McKinnon stays free – for now.
At Computer Weekly, we’ve followed the self-confessed hacker’s story for the 10 years it’s taken to fight his extradition to the US. Along the way we’ve seen his cause become an international issue, with prime ministers and presidents discussing his case.
It’s for others to discuss the legalities of home secretary Theresa May’s decision to rescind the extradition order. It’s also for others to debate the approach of US prosecutors that once told McKinnon they wanted him “to fry”.
But it’s also important to remember that McKinnon is guilty – something he has never denied. It is right that he should face up to the law, and the consequences of his actions – but it’s equally right that those consequences should be proportionate to the crime.
The 10 years since McKinnon came to public attention have put his hacking into a very different context. Governments now do far worse on a regular basis than Gary did. It is easy to ponder that the Pentagon would have remained vulnerable to cyber attacks from people with much worse intent were it not for the holes that McKinnon exposed. That’s no excuse though, of course.
It’s probably not difficult to argue also that the Pentagon and other intelligence services learned a lot about what they can get away with in cross-border cyber intrusion.
And as we’ve seen in the last year or two, there are plenty of new young Garys out there, operating under the guise of hacktivist groups like Anonymous, still exploiting the security flaws that are all too inherent in modern technology.
The immediate priority for McKinnon is his health. Then he has to face whatever the legal authorities in the UK decide to do about his case. But he also now has an opportunity to put something back into the IT security community, and it would be great to see him put his unwanted notoriety to good use in highlighting to others just how vulnerable our IT systems remain. Nick Leeson, the man who brought down Barings Bank, does a similar thing these days about banking fraud.
But beyond the legalities, and the human cost of McKinnon’s 10-year ordeal, there is a lesson for everyone in IT. Information security is now a matter of national security, let alone of business success. Gary McKinnon’s case went well beyond the hacking crime he committed. IT security goes well beyond the technicalities of hackers and viruses. If Gary’s legacy is to put the topic onto the boardroom agenda of every organisation, then he can, at least, be thanked for that.