The US inflated the $700,000 bill for damages it slapped on UFO hacker Gary McKinnon by stuffing it with costs incurred for patching the gaping holes the hacker had exposed in its computer security, according to a document filed with the Supreme Court.
The US had not taken reasonable steps to protect its security and now expects McKinnon to pick up the bill, said an expert witness statement made in McKinnon's ongoing appeal against a US extradition order.
Peter Sommer, professor of security at the London School of Economics, said damage assessments of computer security breaches should consider "whether the victims have taken reasonable steps to limit the damage".
McKinnon had used Remotely Anywhere, a software tool, to hack US military computers in search of UFO secrets. The 42-year-old faces extradition after being accused of hacking into 97 US government computers causing $700,000 of damage.
But Sommer said, "Every intrusion detection system I have come across would flag up the installation of a remote control program like Remotely Anywhere.
"Any firewall also ought to block the 'ports' [internet access points on a computer] used by Remotely Anywhere. On this basis, the costs claimed for are features that should have been there in the first place."
Sommer, who once advised insurers underwriting the risks of computer damage, said hackers could not be held accountable for the "consequential loss" resulting from their intrusion into systems unprotected by "preventative measures for reasonably foreseeable hazards".
"Insurers will not insure computers or computer-dependent businesses in the absence of reasonable levels of protection and means of recovery," he said.
But security experts in the US said McKinnon should be liable for the full $700,000 of security checks performed in his wake.
Professor Eugene Spafford, founder of the Center for Education and Research in Information Assurance and Security at Indiana's Purdue University, said the victim of a cybercrime should not take the blame. If someone broke a door to rob a store, he said, it was usual to charge them the cost of the door.
Anthony Reyes, a former cybercrime detective who helped develop the US Cyber Counter Terrorism Investigations Program, said, "Just because security is weak, it doesn't give you a red flag to go into a computer system and start browsing around."
McKinnon faces extradition despite suicide risk