Title
"You do $5k of damage and risk up to 10 years plus $250k fine?"
No.. Read more carefully.. "in excess of $5,000" The $5,000 is a limit for one of the american computer crimes. Below $5,000, slap on the proverbials, above $5,000, it's A Crime.
And for the other comment..
Yes, the 'bomb' didn't go 'off', but the 'crime' had already been 'committed' (sorry, got 'carried' away). By your logic, you could plan the assassination of Paris Hilton, get discovered as you're setting up your sniper rifle on the balcony opposite her hotel room, but because you'd never actually fired the bullet, get off scott free..??! And sure, they likely have an excellent backup system, but how long do you think it would take from the time the code wiped 70 servers, to them realising what had happened, calling an emergency, recovering all the data, and getting back into an operable condition? We're talking thousands & thousands of pound-dollars in immediate costs, not to mention the intangible damage to their reputation.
As a sysadmin, this type of crime sets a horrendous example to the world. It's a real crime, he should get a real punishment (although, perhaps living in New Jersey is punishment enough...