In the midst of all of this, Marcus Hutchins, then a 22-year-old British security researcher, stumbled upon a “kill switch” in the WannaCry code — and slammed the brakes on a global crisis. “The kill switch is why the U.S. hasn’t been touched so far,” one expert told The Times then.
WannaCry is a variant of ransomware, a type of malware that locks down a computer and forcibly encrypts its data until a ransom is paid. The 2017 outbreak highlighted two things: first, the dismal state of computer security in IT systems around the world, and second, the acceleration of cyberwarfare. According to U.S. authorities, North Korea was behind the WannaCry attack; the motive was to throw its enemies’ economies into disarray. Those behind WannaCry itself used an exploit — a weakness in software wielded as a cyberweapon — developed by and stolen from the United States’ National Security Agency by a Russia-linked group called the Shadow Brokers.
It’s against this dizzying backdrop that a young man from rural England halted a worldwide disaster. Although he took great pains to stay anonymous, he did not succeed once the British tabloids took an interest in the person who stopped WannaCry. After his unmasking, Hutchins was hailed as a “hero” and became the toast of the cybersecurity industry. He was on his way back home from Defcon, one of the oldest and biggest hacking conferences in the world, when he was arrested at the Las Vegas airport Aug. 2, 2017.
As it turned out, Hutchins had dabbled in the dark arts as a minor, continuing up until the age of 20, when he reversed course and dedicated himself to legitimate activities, like research. The U.S. attorney in the Eastern District of Wisconsin charged him with writing and conspiring to sell malware — specifically, the Kronos banking trojan, known to have attacked banks in France, Britain and India. The case has dragged out for two years, amid complex legal questions that could have been appealed. But Hutchins had no stomach for an interminable fight and pleaded guilty last week to two counts under the Computer Fraud and Abuse Act and the Wiretap Act, each carrying a maximum sentence of five years imprisonment.
The acts that he has pleaded to are ignoble. Kronos did serious damage, and in his plea agreement, Hutchins acknowledges that he was a witting conspirator to sell the malware. Neither does he attempt to raise the defense that his “black hat” past was necessary to become a “white hat” hero, even if that line resonates with the hacker community and popular culture at large. According to his lawyers, he rejects that line of thinking, calling it “a misnomer.”
Hutchins is not likely to receive a heavy sentence, but even a sentence without any prison time will come with consequences. He has been released on bail since 2017, residing in the United States on an expired tourist visa while waiting for his case to be resolved. That in itself will likely make it difficult to return to the United States in the future, and the felony will hamper his movements further.
If he hadn’t risen to global prominence, Hutchins would most likely have never been charged with his crimes. His conviction sends the wrong message about whether or not it pays to mend your ways and, when the moment comes, to do the right thing.
As the world comes to rely on computer systems more and more, cybersecurity is increasingly a matter of life and death. But we only rarely see expertise deployed in an indisputably heroic way, amid rerouted ambulances and disabled hospital telephone lines. WannaCry never struck the same kind of havoc in the United States that it did in Britain, and we have Hutchins to thank for it.
For that reason, the justice system should show him mercy. But for stopping a North Korean cyberattack in its tracks, mercy is not enough — Marcus Hutchins should be pardoned.
This article originally appeared in The New York Times.