"We are hoping that the sentence has a significant deterrent impact," said Robert J. Cleary, the U.S. attorney for the District of New Jersey, who led the federal prosecution. "I think this will have the effect we want. Those predisposed to white-collar crimes really do balance risk versus reward."
Smith, 31, pleaded guilty in both state and federal courts on Thursday, agreeing that the virus he wrote and released -- named "Melissa" after a Florida stripper -- caused US$80 million in damages (the minimum monetary amount needed in order to trigger stiffer federal sentencing guidelines).
Smith is expected to receive anywhere between a four- and five-year sentence in the federal case and up to a 10-year sentence in the state case, accompanied by total fines of up to US$400,000. As part of the plea agreement, state prosecutors have recommended that the sentences run concurrently.
"The sentencing guidelines attempt to minimize disparity. If that works here, then anyone else that sends a virus out that does US$80 million in damage should expect a similar sentence," said Cleary.
Melissa's March madness
The Melissa macro computer virus hit companies on Friday, March 26 after being released to a Usenet newsgroup as part of a list of porn sites contained in a Word document infected with the virus.
The virus, which mailed itself out to the first 50 addresses listed in the address book of Microsoft's Outlook email client, caused a massive spike in email traffic, flooding corporate e-mail servers. Companies such as Microsoft, Lockheed Martin and Lucent Technologies shut down their gateways to the Internet in the face of the threat.
Smith -- then a resident of Aberdeen, New Jersey -- was arrested on April 1 by New Jersey authorities.
"This becomes a landmark case, because it's the first time the (U.S.) federal government has successfully prosecuted a computer virus writer," said Dr. Peter Tippett, chief technologist at computer security firm ICSA.net, which helped the U.S. prosecutors estimate the damages caused by Melissa.
Deterrent effect
Tippett and others point to a virus case in England as potential proof that such a deterrent could work.
In November 1995, the UK courts sentenced Chris Pile -- known underground as the Black Baron -- to 18 months in jail. The 26-year-old, self-taught programmer admitted to five counts of unauthorized access to computers to facilitate crime and five unauthorized modifications of computer software over a two-year period.
Since that time, no major viruses have come out of the UK, said Tippett.
Smith appeared in Monmouth County, N.J., Superior Court at 10 a.m. ET on Thursday, followed by his appearance at the U.S. District Court in Newark at 1:30 p.m. ET to answer to federal charges in the case. In both courtrooms, Smith admitted his guilt and agreed with the damages.
When the judge in the Monmouth County court case asked if Smith agreed that it caused US$80 million in damage to computer systems nationwide, Smith replied, "I certainly agree. It did result in those consequences -- without question."
Edward Borden, Smith's attorney in the case, could not be reached for comment.
