US computer crime law is only now starting to soften, but as @CarlMud said above, the CFAA has been overly extensively applied in the past, and does have harsh penalties. (10, 25, to life.) I don’t expect this kid to get life. If I were to speculate, I imagine he will not even be convicted, due to race, gender, etc. (Which is also a problem, of course.)
Having seen the way the laws work when it becomes “computer crime” in the US though, I worry. Fixing the laws to match the crimes is really the goal, is it not? Scare the kid a bit. Make him realize what he did wrong, and hopefully rehabilitate.
When a non-lawyer hears “computer crime”, it’s of course going to make sense that it was a “crime with a computer”, but lawyers are very concerned about precedence, and definitions, and the definitions rapidly narrow.
Think of all of the people yelling out “Treason” after what happened on 1/6 in the US. There is a very strict definition of what treason is. partially because. we allow people to be executed for it, so you kind of want a high bar.
The Computer Fraud and Abuse act was written with a low bar, because the government was in a panic at the moment about “what do we do now?” and didn’t understand the playing field. It also can car
ry some extreme penalties.