The Royal Courts of Justice, with its wood-panelled rooms and shelves of yellowing tomes, is an unusual location for a cyber breakthrough. But it was here that computer security industry yesterday received one of its biggest boosts to date. Forget venture capitalists, GCHQ accelerator programmes and Israeli startups, the Lord Chief Justice is this week leading the charge. In a decision that is being celebrated in the technology world, the Court of Appeal ruled that it would not extradite Lauri Love to the US. Having stared down the barrel of a 99-year prison sentence across the Atlantic for more than four years, the 33-year-old from Suffolk could finally breathe easily.
The institution was awash with a motley mix of hippies and hackers who had come to support Love. From their brightly-clad, tousle-haired ranks, cheers echoed around the vaulted ceiling and chants of “freedom” and “Lauri” carried down the halls. Mid-way through giving his judgement, the Lord Chief Justice scolded the crowd about their rowdiness. “Be quiet. This is not a theatre,” he said.
But they had reason to celebrate. For the past 15 years, talented computer geeks have fallen foul of the US justice system and suffered severe consequences. In a case similar to Love’s, Gary McKinnon, a British hacker with autism, fought against extradition for a decade, on charges of hacking into the Pentagon to look for evidence of UFOs. In 2012, Theresa May, then home secretary, finally blocked the order.
A year later, in the US, Aaron Swartz, a well-regarded programmer known for developing the social network Reddit, died by suicide. He had recently accused of illegally downloading articles from academic site JStor to distribute them online. The 26-year-old was facing a prison sentence of up to 35 years if found guilty.
Swartz’s death gripped the hearts of technology geeks and hackers, including Love. To them, he was a genius who had helped create one of the core foundations of the internet. His death had robbed the world of a pioneer, and the US government was to blame.
Love is accused of hacking into the US Army and Federal Reserve in protest against Swartz’s arrest and death. His extradition was halted on the grounds that his alleged crimes were committed in the UK.
For his supporters, though, Love is yet another casualty of the system, who has lost five years of his life. While it is understandable that governments wish to punish criminals, the biggest threat to their citizens’ online security comes from international cyber crime gangs, and the people with the know-how to combat them are exactly individuals like Love.
As a reporter at The Telegraph, I have been covering Love’s case for a number of years. I first met him at an encryption training class for journalists in 2015, which was run at King’s College London by former “blackhat” hacker Mustafa Al-Bassam. Al-Bassam was convicted of hacking into the US Air Force and Sony, among others, as part of the Lulzsec group, short for “laughing at your security”. He was just 16 and given a 20-month suspended sentence. Five years later, he is studying for a PhD in the field of computer security. Al-Bassam and his fellow Lulzsec hacker Jake Davis, who earned a two year sentence and is now an ethical hacker, were at the courthouse to support Love. They are exemplary of how proportional responses to criminal behaviour can help the UK use the abilities of hackers.
Cyber attacks are one of the biggest security threats facing the UK. Last year, for the first time, a hack came close to causing physical harm when the WannaCry ransomware attack shut down dozens of NHS Trusts and forced the cancellation of thousands of appointments, including operations.
The number of people who have the skills to defend against such attacks hasn’t grown proportionately, though. Experts have warned that, if the UK doesn’t close the gap between the attackers and defenders, it could face a serious problem. Major infrastructure, including the energy grid, hospitals and water plants, could become victims, as could businesses and schools. With the proliferation of connectivity, every institution is now at risk of cyber attack. This isn’t to scaremonger, but to show that the country needs to nurture talent where it exists. Love, Al-Bassam and Davis could be one antidote to the growing number of cyber attacks.
The ruling in Love’s favour will be welcomed by youngsters with natural talent and a desire to fix broken systems. But the fight isn’t over. In addition to training more security experts and dissuading more youngsters with talent from turning to crime, the UK needs to push for Marcus Hutchins’s return. Dubbed the “WannaCry Hero” Hutchins, 23, found the “kill switch” for WannaCry, the global ransomware attack that spread to 150 countries, including the above-mentioned attack on the NHS. He had been working as an expert in malicious computer programmes.
Yet Hutchins was arrested as he was last summer leaving Las Vegas, where he had been for a security conference. The FBI accused him of creating and distributing malware three years ago, and he is now facing up to 40 years in a US prison if found guilty (Hutchins is unable to talk about his case). Like Love, Hutchins should face justice in the UK. His talents have already proved vital to securing our society.
Love is now expecting to be tried in the UK. He is hoping that, if convicted, his sentence will be lenient, perhaps suspended even, based on time served and his commitment to helping secure systems. Should his hopes be realised, Love will now be able to complete his computer science degree and conduct the urgent security work that I know keeps him awake at night.