Hutchins’ plea deal raises as many questions as it answers

Earlier this week, Marcus Hutchins, the man who helped stop the WannaCry global ransomware attack, admitted in court to developing the Kronos banking malware as a teenager. Since 2014, Kronos has been used to hack into and steal from bank accounts. Hutchins’ public statement confessing his crimes caught my eye:

“As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”

The confession appears to be the result of a plea bargain. By admitting to charges, he avoided facing other charges at trial. This makes for efficient but uncertain justice, as we outsiders still have no confirmation as to which of the original charges Hutchins has pleaded guilty, nor what evidence prompted him to do so.



READ MORE ON KRONOS AND MARCUS HUTCHINS

Kronos malware indictment highlights the risk of trust
Primer: What’s in a banking Trojan?
Critical systems at heart of WannaCry’s impact


Some people who know Hutchins are defending the sincerity of his stated contrition: He really has outgrown the kind of childish amoralism necessary for writing malware, they say. Others wonder how much he could have “grown up” over the two short years that elapsed between the crimes (September 2015) and the arrest (August 2017).

This outcome leaves the hacker community and the cybersecurity industry in a bit of a quandary. How can they regain trust that Hutchins is a full practitioner of what he refers to as “constructive purposes” without first having the opportunity, via a public trial, to assess whether he’ll pay his full debt to society?

The plea deal essentially ensures that Hutchins will remain an unknown quantity, an outsider.

I wish Hutchins no ill, but I don’t intend to share with him any sensitive information any day soon. Many hackers and cybersecurity specialists will undoubtedly keep a close, skeptical eye on his demonstration of purity of intent and wisdom of care.

We acquire knowledge long before wisdom because without lived experience, we lack essential perspective. Hutchins likely felt no hatred toward the victims of his crimes—in fact, the concept of harm to others may have been an untethered abstraction to him. Yet by creating, selling, and enhancing his malware, he purposely and directly made possible, according to his plea, “form grabbers, keyloggers, and Web injects to intercept communications and collect personal information, including usernames, passwords, email addresses, and financial data, from any number of victim computers.”

Notably, “the malware was configured to avoid antivirus programs,” which seems to show awareness in Hutchins of his own wrongdoing. Real people experienced real harm at his deliberate intent. That’s going to take some time to forgive.

I wish Hutchins no ill, but I don’t intend to share with him any sensitive information any day soon. Many hackers and cybersecurity specialists will undoubtedly keep a close, skeptical eye on his demonstration of purity of intent and wisdom of care.

Forty-one years ago, as a teenager, I was arrested by a county sheriff in California for driving without a license. Something about the handcuffs, and the inside of the jail, and the fines I paid, and the remarks by the judge scared me deeply and convinced me that I, and not the law nor the system, had been in error.

I very much hope that the life I’ve lived since then shows my respect for civilized norms, especially including the rule of law, and that my early dumbassery served a useful purpose. I still learn most things the hard way, but no longer knowingly at the expense or risk of others, and never in a way that violates laws by which I am bound to society.

If Hutchins was just being a dumbass kid when he committed these crimes, and is learning some big life lessons the hard way, then he should eventually (re-)earn himself a place in various “trust groups” whose collective actions help keep the digitized and computerized economy safer. In the meantime, as people continue to deal with the harm he caused not even four years ago, this plea bargain may elicit as many questions as it answers.