Terry Childs has been sentenced to four years in prison, and now has been ordered to pay $1.5 million restitution to the City of San Francisco for not relinquishing the passwords to the city's FiberWAN network for a period of 12 days.
Just to be clear here, there was no outage, no loss of service, and no problems with the network during this time period. No user lost access to applications, data, or services, and no city activities were impeded. There was no actual damage directly stemming from his actions. In fact, as he has argued, he was following policies laid out by the city itself by not providing the passwords. If you recall, he was asked for the passwords in a room full of people who had no reason to know them and another group of people listening in on speakerphone. He was subsequently jailed and held for 18 months before the trial even began.
[ Paul Venezia was first to discover the real story behind the bizarre Terry Childs case. | Read Paul's in-depth advice on planning and deploying a network to handle virtualization. ]
Now a judge has ordered him to pay the equivalent of $75,000 a year for 20 years. What's next? Will they also kick him in the ribs a dozen times for good measure?
The City claims that the $1.5 million figure comes from the amount spent trying to break into its own network in lieu of having the passwords, and to test the network for vulnerabilities after he divulged that information. Not only does that seem like an extremely large figure for this work, I have a hard time placing the financial burden on Childs for the vulnerability testing -- the kind that every IT shop should do regularly.
I can understand the desire to vulnerability test the network following this debacle, but that should have been done anyway. And what if Childs had been hit by that proverbial bus? Would the City have come after his estate for the same costs? It feels like the government used this as an opportunity to turn the consulting dial up to 11 because it knew it'd be going after Childs for any costs incurred, legitimate or not. After all, $1.5 million is an awful lot of money. There would be no capital expenses since no hardware was damaged, so it must be all labor -- that works out to 7,500 hours billed by consultants charging $200 per hour. That's 937 8-hour days. You could have rebuilt the entire network from scratch at least twice over for that amount.