I think that there are appropriate (and possibly over-harsh depenidng
Shouldn't it be dependent on what type of money was lost during an attack? Somewhat comparable to injury compensation?
Here's a non-relevant anecdote you reminded me of: I once worked one summer for a construction company that was extending a mass-transit train line northeast of Washington, D.C. The tracks of an existing rail line parallel to our new line was laid upon about 6' of small rocks. Along those rocks for several yard/meters, a very thick metal-foil shielded cable jutted out from its rocky protection. I asked another crew member, "What's that?" "Oh, that's Sprint's fiber up the northeast corridor, " he replied. "It shouldn't be lying out there, should it? What if I or someone else took a shovel to it?" The foreman commented, "We'd be sued for $100,000 for every 10 minutes the line was cut." Being good at math, I was awestruck, "That's 6 million dollars per hour!" "Yeah, you'd likely be fired before the rest of us would be laid off," added our foreman. It gave me new-found respect for loose cables and later for Wiltel's gas pipe right-of-ways. IMHO, I'd say it's up to an ISP to calculate how much an attack costs them if they catch a hacker and then take them to trial. You don't hear of ISPs taking people to trial, though, just cutting off their access. If hackers know that they'll be sued if they're caught, it might deter them (from being caught at least ;^). -- Eric Ziegast