Gary McKinnon accused of breaking into military and NASA computers in what he claims was a search for UFOs, allegedly causing nearly $1 million in damage has lost his appeal for extradition to the United States.
McKinnon, 42, an unemployed computer administrator, allegedly broke into 97 computers belonging to the U.S. Army, Navy, Air Force, and Department of Defense from a bedroom in a north London home.
His attacks between 2001 and 2002 allegedly shut down the Army district responsible for protecting Washington, and cleared logs from computers at the Naval Weapons Station Earle in New Jersey that tracks the location and battle-readiness of Navy ships.
That last attack, coming immediately after the Sept. 11, knocked out the station's entire network of 300 computers. NASA and privately owned computers also were damaged, prosecutors said, putting the total cost of his online activities at $900,000.
At the time of his indictment, prosecutor Paul McNulty said McKinnon pulled off "the biggest hack of military computers ever at least ever detected."
In his defense, McKinnon, known online as SOLO, said he was trying to expose security weaknesses and uncover evidence of UFOs.
"I was a man obsessed," McKinnon wrote on The Guardian newspaper's Web site last year, describing a year spent trying to break into U.S. military systems: eight hours a day at a computer in his girlfriend's aunt's house while unkempt, drinking beer and smoking marijuana.
In interviews, he claimed that his hacking uncovered photographic proof of alien spacecraft and the names and ranks of "non-terrestrial officers."
Prosecutors accuse him of deliberately trying to intimidate the U.S. government by tearing through their networks. They pointed to a note written by McKinnon and left on an Army computer attacking U.S. foreign policy as "akin to government-sponsored terrorism."
"It was not a mistake that there was a huge security stand down on September 11 last year," he wrote. "I am SOLO. I will continue to disrupt at the highest levels."
McKinnon was caught in 2002 after some of the software used in the attacks was traced back to his girlfriend's e-mail account. The U.S. sought his extradition, a move his lawyer Claire Anderson claimed Wednesday was motivated by the government's desire to "make an example" of a man who humbled officials in Washington by hacking into their systems using off-the-shelf office software and a dial-up modem.
Aspects of American cyber-security had been shown up as "really shameful," with some computers not even password-protected, said Graham Cluley, a security consultant with Sophos PLC.
He said the United States appeared to be pursuing McKinnon in an effort to flexing its legal muscle to the hacking community, which has watched the case with interest.
"The overriding message is: You shouldn't mess with American government and military computers, particularly right after Sept. 11," Cluley said.
McKinnon's lawyers had hoped to hold any trial in Britain, saying he could be dragged before a military tribunal or even end up at Guantanamo Bay.
In their appeals, they said McKinnon was warned by U.S. officials that he would not be allowed to serve any part of his sentence in Britain unless he agreed to cooperate with his extradition. That, they argued, amounted to an unlawful threat and abuse of process.
Not so, Britain's House of Lords said Wednesday. Lord Brown, writing for Britain's highest court, said plea bargaining could only be called an abuse of process "in a wholly extreme case."
"This is far from being such a case," he said.
While the decision exhausts McKinnon's legal options in Britain, Anderson said she would appeal to the European Court of Human Rights in Strasbourg, France. She said British authorities had agreed to keep McKinnon in Britain for at least two weeks to allow his lawyers to prepare their application.
"If that fails, then it's off to jail in America for 60 years," McKinnon told the British Broadcasting Corp. "Rapists and murderers and real terrorists get less."
Should McKinnon be extradited, he would face trial in Virginia and New Jersey on eight charges of computer fraud.
Each charge potentially carries a sentence of up to 10 years in prison and $250,000 in fines. However, U.S. sentencing guidelines would likely recommend a much lighter sentence.