University Times

In sentencing one of two men arrested in connection with a YouTube video that threatened to release sensitive University data, a federal judge on Tuesday said the act was “not a simple prank” and that serious consequences were merited.

“That means jail time,” Judge Joy Flowers Conti told Alexander Waterland as she imposed a sentence of one year and one day in federal prison, followed by two years of supervised release on one count of extortion.

Among the provisions of his supervised release, Waterland would be permitted to have access to a computer and the Internet, but must allow monitoring of his computer, cellphone and electronic communication or electronic storage devices.

Waterland remained free on bond under the conditions of his pretrial release pending instructions on where and when to report to federal prison to begin serving his sentence.

Waterland, 25, of Loveland, Ohio, pleaded guilty earlier this year in connection with a video, “Anonymous Message to the University of Pittsburgh,” posted in late April 2012 that claimed to be from the hacktivist group Anonymous.

The video demanded an apology by the chancellor for failing to care for students’ data and threatened to release sensitive computer data if the apology was not posted on the University’s home page. (See May 3, 2012, University Times.)

Conti said she took into account the fact that no sensitive data actually were taken from the University’s servers, but also had to consider that the threat was made public, which prompted calls to the University’s computer help desk and public affairs office from concerned students, parents and employees.

Conti said the threats  — which included not only the initial video, but postings in response to comments on the video, Twitter messages and emails to University officials reiterating the demands — not only diverted University employees from their regular work, but “actually caused distress” to individuals who were concerned that sensitive data would be released.

Assistant U.S. Attorney James Kitchen said the initial cyberthreat sent University IT staff “into a code red alert on a Saturday night,” adding that the cyberthreateners’ action took the form of a series of threats, delivered in the wake of a series of bomb threats on campus. The video was posted five days after multiple hoax bomb threats to the Pittsburgh campus ceased on April 21. Scottish nationalist Adam Busby of Dublin, Ireland, was indicted in August in connection with more than 40 of the emailed hoaxes. (See Aug. 30 University Times.)

In a victim impact statement submitted to the court last week, Ted P. Fritz, Pitt’s associate general counsel, stated that losses came in the form of personnel hours rather than dollars.

As for the threat and demand for a public apology, “In a vacuum, this was serious,” Fritz stated. “However, this threat was more than serious because it came on the heels of a six-week siege of bomb threats to the University, some of which were electronically conveyed. Consequently, when the University was starting to feel some relief from bomb threats that appeared to have ended in late April, these new cyberthreats occurred and swung the general emotions at the University to ones of alarm and concern that the University was under a new type of cyberattack,” he stated.

“The University’s Computing Services and Systems Development department (IT team) was once again pressed into action to determine if an attack occurred, to implement enhanced security measures that restricted system usage and performance, and to fend off a substantial increase in probes of the University’s system from around the world.”

Fritz stated, “Specifically, the IT team faced a complex, time-pressured obligation that took several days of confirming that no data breach actually occurred. The staff of over 35 people worked around the clock to increase system logging, to analyze any anomalous network traffic, to check to ensure data security was not only appropriately set at the time of the alleged breach but also to ensure increased measures were emplaced. Because of the publicity and resultant probes for system weaknesses by potential hackers or other wrongdoers, the IT team was forced to tighten the security settings of the system and increase monitoring for weeks.”

The higher security impacted network availability for some Pitt end-users and diverted CSSD employees from their regular work.

“Instead of doing their day-to-day work to keep a research university connected, many of the staff were trying to explore the extent of what turned out to be a non-existent breach,” he stated.

According to the University’s statement, the threat also prompted a federal Department of Education inquiry “with the University having to show to this regulatory body that no breach occurred and sufficient protective measures were in place,” an inquiry Fritz stated has yet to be formally closed.

Waterland’s attorney, Anthony M. Bittner, countered that the University knew the YouTube threat was hollow and that there had been no compromise of data or penetration of the server. The information Waterland purported to have taken was “all public information” and the threat was “a complete ruse,” he said. He added that Waterland and another man who also pleaded guilty in connection with the cyberthreats were not involved in the bomb threats, nor did they wish to be associated with them, arguing that once they learned that they were being linked to the prior threats, they posted that they had no ties to those threats and did not condone violence.

Waterland’s father, Thomas Waterland, noted his son’s effortss to atone for his actions and cited his character and lack of a prior record, telling the judge that the “harm of incarceration would outweigh the good.”

Likewise, family friend Edwin Esparra detailed what he labeled an emotional and impactful presentation Waterland made to technical school students that aimed to dissuade them from doing what he had done.

Waterland spoke briefly on his own behalf, apologizing for the pain, suffering and disappointment he had caused and asking the judge for forgiveness.

In imposing the sentence, under which, with good behavior, Waterland likely would serve approximately 10 months in prison, Conti said the penalty needed to serve as a deterrent. “I’d hate to see another young person with your talents and abilities standing before some other federal judge,” she said.

Waterland, who had been a computer specialist at a mail-order pharmacy firm in Ohio, faced a maximum of five years in prison and a $250,000 fine on the felony charge. HIs sentencing was postponed several times from its initial March 15 date.

Waterland’s former co-worker, Brett Hudson, 26, of Hillsboro, Ohio, pleaded guilty to conspiracy in October in relation to the cyberthreats. His sentencing, originally set for Feb. 8, now is scheduled for June 18.

—Kimberly K. Barlow