A former system administrator was sentenced Tuesday to 41 months in federal jail and ordered to pay over US$2 million in restitution for a 1996 attack on his former employer's computer network.
Tim Lloyd, 39, of Wilmington Del., must now surrender to the U.S. Federal Court May 6. Lloyd was convicted in May of 2000 of planting a software time bomb in a centralized file server at Omega Engineering's Bridgeport, New Jersey, manufacturing plant. On July 31, 1996, the malicious software code destroyed the programs that ran the company's manufacturing machines, costing Omega more than $10 million in losses and $2 million in reprogramming costs, and eventually leading to 80 layoffs.
Lloyd, who had worked for Omega for 11 years and became "a trusted member of the family" there, had actually built the computer network that he would later destroy. Because of the attack, Omega lost its competitive footing in the high-tech instrument and measurement market.
"We will never recover," said plant manager Jim Ferguson during court testimony.
Lloyd's lawyer, Ed Crisonino, said he will appeal the sentence, which also carries with it a three-year probation. Under federal computer sabotage laws, Lloyd could have received up to five years in jail.
The Hon. William H. Walls, the judge who presided over the case, told Lloyd, "What you did not only affected the company but the people who worked there. We need to deter others in this increasingly computerized world and economy."
Prosecuting attorney V. Grady O'Malley said, "This was a devious and calculated act. It had a catastrophic effect on the company. The government must send a message to system managers and people in trust that there will be a day of reckoning."
The Lloyd case was the first federal criminal prosecution of computer sabotage. Industry observers had hailed the conviction as a precedent-setting victory, proving that the government is capable of tracking down and prosecuting computer crime.
The conviction was derailed, however, shortly after the verdict was handed down.
Soon after the jury rendered a guilty verdict in a U.S. District Court in Newark, N.J., Walls set aside the decision. He did so after a juror who heard the case approached the court with concerns days after the guilty verdict had been handed in. The juror told the judge she was unsure whether a piece of information she heard on the television news regarding the Love Bug had been factored into her verdict, according to O'Malley.
However, in October of 2001, the Third Circuit Court of Appeals in Philadelphia reinstated the guilty verdict. In its written decision, the appellate court found that the media report of the Love Bug was "totally unrelated" to the Lloyd case, the juror had not received the information improperly and the government's "heavy volume of incriminating evidence" made the Love Bug information irrelevant to the jury's decision. The appellate court stated that the "District Court abused its discretion in granting a new trial."
Industry analysts estimate that in-house security breaches account for 70 percent to 90 percent of the attacks on corporate computer networks. And the percentage is probably even higher than that because most insider attacks go undetected. In fact, Dennis Szerszen, director of security strategies at The Hurwitz Group in Framingham, Mass., says for every in-house attack reported, there could be as many as 50 that go unreported or undetected.