He hacked central control systems used by utility companies. This could have caused all sorts of disruptions including to traffic lights and hospitals. This was definitely not a "victimless crime".
That analogy doesn't fit here at all. In your case they intend to cause harm to someone at the start by literally shooting someone. You are presupposing intent and harm of a person and certainly there were neither in the hacker's case.
A better analogy, that maybe is more fitting, is you blow through a stoplight and kill someone.
That's definitely negligence but there was no intent to hurt someone, the intent was to speed to a destination.
The intent here was to use computing resources to launch an attack on another hacker group, nothing that would have intently harmed a person at the clinic. They could have accidentally hurt someone though.
And if they did it would be recklessness, certainly negligent , but their intent was not to kill someone.
And this is why we in the US have different laws for different situations that take into account negligence, intent, premeditation etc.
None of them are alright but the state of mind the person committing the crime was in makes it varying degrees of bad.
Someone who accidentally kills someone and someone who plots a cold blooded murder have both taken a life but, the one who killed on accident isn't as heinous or maybe as morally reprehensible.
Life is mostly varying shades of grey and not strictly good or bad and that's why society has complex laws to dole out different punishments depending on situation.
And finally, the hacker never harmed anyone in this case arguing on what they might have done is an abuse of the system imo. I might get up right now and burn my neighborhood to the ground, but you cant condemn me of it before I actually do it. (I won't)
In the context that people have been talking about is did he physically harm someone, the answer is no, in that sense there was no victim. I don't sympathize with him but he didn't cause physical harm to anyone and besides what it cost to remove the botnet from the clinic's machines he doesn't seem to have done any real economic harm here either. There was no patient information stolen, no damage to the clinic's reputation and no permanent damage to their systems.
10 years is egregious and heavily punitive. The prosecutor that speculated that he "could of caused harm" and that was what the entire punishment was predicated on. Our legal system is entirely draconian when it comes to computer crimes.
This should have been criminally probation or a few months in jail and a civil suit brought by the client for any actual damages.
I'm not saying there was no wrong doing but you're not going to convince me that the minor damages were worth 10 years of this guys life.
I agree that 10 years (any years) in prison is excessive for what he was accused of, but the term being thrown around in this thread was "victimless crime". The mere fact that someone had to pay to clean his botnet from their systems means that this crime had a victim.
A more reasonable sentence would have been 2-3x the cost of the cleanup—and details on the systems that were compromised—plus a certain amount of (extrajudicial) social ostracism along the lines of ISPs not being willing to sell him Internet access based on his past history of abusing such privileges.