bounty on hackers that was announced Wednesday may be more a mix of public relations stunt and scare tactic, given the dismal track record for finding people responsible for unleashing viruses and worms.
"I don't know what effect, if any, this will actually have," said Doug Isenberg, founder and publisher of GigaLaw.com and an attorney in Atlanta. "Although it might be money well-spent, it also might be well-spent designing products that are not vulnerable to these kind of attacks in the first place."
Joined by representatives from the FBI, Secret Service and Interpol, Microsoft executives announced $250,000 rewards for information leading to the arrest and conviction of each of the cyber-criminals responsible for unleashing the Blaster worm and Sobig virus this summer. Those are the first two rewards the company has announced as part of a $5 million antivirus reward fund created to help law enforcement agencies identify and bring to justice those who release worms, viruses and other malicious attacks on the Internet.
"I think the PR benefit to Microsoft is more significant than anything else," Isenberg said. "It gives the image, if nothing else, that Microsoft is taking these security threats seriously and is doing something about them and cares about the impact that these are having."
Microsoft, whose buggy software has drawn its share of critics as well as hackers, has been touting efforts at improving security since it launched its so-called trustworthy computing initiative almost two years ago. Its past fiscal quarter, however, marked the first time the world's largest software maker has said security woes -- sparked by the two major blended virus outbreaks -- actually hurt revenue.
"I think what happened is their quarterly numbers took a dip in large part due to particular infections," said Tony Magallanez, a systems engineer at Finnish security firm F-Secure's office in San Jose, Calif. "I think their thinking is that possibly by offering this in-total $500,000 incentive, they may be able to raise the bottom line. It's sort of a small investment to keep it from happening again."
"It's an unusual strategy, but we as a company think it's not too far off-base," he added.
While the track record of catching those responsible for such crimes is dismal, Microsoft is tapping into the fact that the vast majority of those nabbed are caught because they bragged about the crime, legal and security experts said.
"Probably more than 90% of virus writers are caught because of people they have told," Magallanez said. Authorities have arrested two youths in connection with the Blaster worm but have not found its original creator.
Trouble is, if someone is identified, proving he or she is responsible is yet another challenge. "You'd be surprised" what people leave on their computers, Magallanez said. But he suspects "most virus writers are savvy enough" to remove evidence. And if there's nothing left on a machine, there's very little way to prove a case, he added.
Geography is another hurdle, says Fred von Lohmann, senior staff attorney at the Electronic Frontier Foundation, who wonders whether the bounty can help American authorities track down cyber-criminals in other countries.
"All I can say is that the individuals responsible for the largest viruses for the last couple of years have never been found or prosecuted," he added. "If that's any indication, it's a hard problem."
Philip Reitinger, a senior security strategist at Microsoft, argues "it's harder to catch the people than to prove what they did."
He suggested the reward program is a spin on an old-fashioned technique used to catch criminals. If successful, it may act as yet another deterrent to cyber-crime, he says. "The possibility of going to jail clarifies the mind," he says.
Microsoft has not ruled out the possibility of civil suits, either. "We're not going to shut down any avenues we may have on the civil suit," said Hemanshu Nigam, a corporate attorney in Microsoft's digital integrity group. "We'll keep all of our avenues open."
Nigam noted that while a criminal case requires that a person be arrested, a civil suit merely requires that an alleged hacker be identified. The burden of proof also is lower in a civil suit than a criminal case. But "if you've committed a malicious code attack that is criminal, then we hope you will be brought to justice in the criminal courts of law," Nigam said.