kaptn - Fotolia
Cyber security experts and companies that avoided damage from the WannaCry ransomware are being urged to support a computer security researcher hailed for cracking the first “malware attack with threat to life”.
Marcus Hutchins, a British citizen, faces trial in the US, which IT experts fear could have a chilling effect on the computer security industry and security research community.
He was arrested in Las Vegas airport last week, on the way home from a security conference, after the US issued an indictment accusing him of creating and selling malware.
Rallying support for Hutchins
A small group of computer experts, students and campaigners defied heavy rain to gather in London last night (9 August 2017) to discuss ways to support Hutchins, who faces a lengthy prison sentence in the US if convicted.
The 23-year-old security consultant from Ilfracombe in Devon could face a decade in prison if convicted under the controversial US Computer Fraud and Abuse Act.
Naomi Colvin, who represents the Courage Foundation that is supporting Hutchins, said the US indictment against him was “very thin”.
“Marcus came into prominence with WannaCry, which led to hospitals being closed. We could make the argument that this is the first malware attack with threat to life,” said Colvin.
A friend of Marcus Hutchins
She urged people in the NHS who were affected or could have been affected by WannaCry to back Hutchins.
Hutchins was released on £23,000 (US$30,000) bail on 4 August, in what legal experts described as an unusual step in an alleged hacking case. His release came after his local Conservative MP, Peter Heaton-Jones, and 12 others sent letters of support on his behalf.
Hutchins is due back in court in Milwaukee on 14 August, where he is expected to enter a plea.
Limiting WannaCry’s reach
The 23-year-old is credited with halting the WannaCry malware virus in May. He disabled the virus before US workers arrived at their offices, preventing its spread across the country.
A friend of Hutchins’s, who did not want to be named, said: “It’s not just WannaCry. Marcus has been involved in other malware cases. He has stopped harm before.”
Hutchins was arrested on 2 August after attending the Def Con security conference in Las Vegas. He faces six charges of creating and selling Kronos malware between July 2014 and July 2015, and could face a long prison sentence if found guilty under US law.
IT experts called on people in the industry to write about the technical role Hutchins played in limiting the damage caused by WannaCry.
Computer experts said they were worried that cases like Hutchins’s would have a chilling effect on computer security researchers, for fear they would face prosecution.
Lauri Love: ‘Hutchins betrayed by UK government’
Hutchins’s supporters were concerned that he was arrested despite collaborating with the UK’s National Cyber Security Centre (NCSC).
Computer scientist Lauri Love, who is fighting extradition to the US on charges of stealing data from US government computers, said he’d have expected the NCSC to express concerns.
“It is not just betrayal,” he said. “It is massively against its self-interest. It’s in the government’s interest to work with the hacking community.”
He said it was crucial that people working on countering or preventing these attacks were allowed to do so. “It was the first time human lives were put in jeopardy,” he pointed out.
IT experts fear negative effect on security work
Love said he was thinking about setting up an organisation that would offer advocacy and mutual support to security researchers. “We need to get the recognition as a professional body,” he said.
Another unnamed IT expert warned: “There’s concern from a lot of people who do not want to be targets themselves. I think it will have a chilling effect.”
A computer security specialist, Gareth, who did not want to give his full name, runs a non-profit organisation that operates a Tor exit node, which allows people to browse the web securely and anonymously.
He said he was concerned that if “one of the prestigious cyber security experts was ambushed, it may have a chilling effect on other people doing this research”.
IT worker Patrick McElligott said people in organisations that had been affected by the malware that Hutchins helped to stop – the NHS or any big organisation – could show their support. WannaCry could have caused them huge amounts of damage, he said.
A friend of Hutchins’s told Computer Weekly: “We risk losing a key element of defending networks and alienating an entire community to prevent some of these attacks. The effect it has had on the security research community has been substantial.”
Extradition lawyer urges NHS staff to support Hutchins
Although it was not known if Hutchins had any medical conditions, such as Aspergers or autism, Todner said she was concerned about the lack of support facilities in US prisons.
“Potentially, his medical condition would be horrendous. He would really struggle,” she warned.
Todner, a specialist in US extradition cases who has experience of working with clients with Aspergers and autism, said people concerned about the case could contribute to Hutchins’s legal costs and living expenses.
IT experts and officials in the NHS who benefited from Hutchins’s work in combating WannaCry could write letters to the US authorities pointing out how he had helped, she said, adding that foreign secretary Boris Johnson should also be urged to act.
If convicted in the UK, Hutchins would face a short prison term, said Todner.
Supporters said a crowdfunding site had been set up to help with Hutchins’s legal costs, and urged people to send him books and letters of support as he awaits trail.