SoS Musings #31 - Kid Hackers

SoS Musings #31 -
Kid Hackers

Young people may deliberately or inadvertently be contributing to the continuously evolving cyber threat landscape and the rise in cybercrime, calling for an increase in awareness among members of this demographic about ethical hacking as well as an improvement of intervention efforts centered on young cybercrime offenders. Officials from the FBI and the U.S. Department of Justice have spoken about a noticeable surge in teenage hackers, pointing out that the increased accessibility of inexpensive easy-to-use hacking tools via marketplaces in the dark web have contributed to this spike. In 2016, a hacking group composed of teens from Scotland, England, and the U.S. was arrested for launching attacks against U.S. government agencies and high-level officials to expose sensitive information. Young hackers often start off as “script kiddies”, which are inexperienced hackers who use existing programs to launch attacks on computers and network systems. A hacking incident suspected to be caused by script kiddies resulted in a diplomatic crisis in Qatar, further emphasizing that such hackers are not to be dismissed as they can still cause quite a lot of damage despite their lack of knowledge in programing. Studies have been conducted on factors such as social behavior, relationships, environment, and level of computer competency that can indicate whether a child is likely to engage in cybercrime. In addition to the individual characteristics of adolescents that would indicate an increased susceptibility to becoming cyber juvenile delinquents, studies have delved into the common pathways to cybercrime such as an aptitude for technology, willingness to perform low-level illegal activities on the internet, and lack of self-esteem in the real world that would increase the need to build a reputation online. Other studies have examined the correlation between those with characteristics most associated with the autism spectrum disorder and those that perform cyber-deviant acts such as unethical hacking, identity theft, and computer virus creation. The findings of these studies should be further examined and communicated to parents, organizations, and government entities in order to bolster efforts towards steering kids in the direction of white hat hacking or ethical hacking in which hacking skills are applied in a constructive rather than a destructive manner. It is also especially important to encourage kids to use their hacking skills for career paths in the field of cybersecurity in order to build a workforce of highly-skilled cyber professionals as the shortage of professionals in field is expected to reach 1.8 million by 2022. Studies on the predictors of juvenile hacking and the pathways to cybercrime should be further expanded.

There have been studies on the different factors that could lead kids to cybercrime, which also highlight the different ways in which predictors could be determined. Researchers at Michigan State University (MSU) conducted a study in which the characteristics and gender-specific behaviors that have the potential to lead children to juvenile hacking were explored. Research in the realm of cybersecurity has largely focussed on the scope and threat posed by hacking instead of the factors that indicate when and how hacking behavior is initiated. Thomas Holt, lead author of the study and cybercrime expert in the School of Criminal Justice at Michigan State University, examined responses given by 50,000 teens from all over the world to find out what are the predictors of hackings. Findings of the study show that low self-control, negative peer-associations, along with excessive video game playing and TV watching, are predictors of juvenile hacking. Furthermore, it was discovered that the weight of these predictors may differ based on gender. According to the study, peer associations are more likely to influence girls to turn to malicious hacking, while TV and video games have a greater influence on boys. Gender roles are said to contribute to the differences in predictors in that boys are often encouraged to play video games, while girls are pushed to do other activities. When children have their own bedroom and computer, as well as a lack of parental supervision over what they do on the internet, they are more likely to enter cybercrime. Other contributing factors include the use of mobile phones from an early age and the performance of digital piracy activities such as pirating movies and music. Another study conducted by a team of researchers from the European Cybercrime Centre, UCD Geary Institute for Public Policy, and Middlesex University, explored the youth pathways to cybercrime by looking through the lenses of adolescent psychology, criminology, cyberpsychology, and neurobiology. Theories of criminology give insight into the reasons as to why adolescents may choose to engage in hacking behavior, which include social deviance and antisocial behavior. Adolescent psychology delves into the elements associated with the maturation of teenagers that make them more susceptible to committing cybercrimes, such as mood disruptions, impulsivity, and peer pressure. Through the lens of neurobiology, researchers can find out how the brain and its components can contribute the susceptibility of the youth to cybercrime engagement such as the release of dopamine when achievements are made online, the link between the prefrontal cortex and frontal lobe functionality to poor decision-making, and other associations with the brain that reinforce certain behaviors. Exploring youth hacking from a cyberpsychology point of view allows researchers to examine the elements of anonymity/invisibility and the online disinhibition effect that can make adolescents more prone to committing potentially damaging acts online. The researchers found that the overlap of these research areas would help law enforcement and industry identify, prevent, and intervene in malicious youth hacking. The intersection between these areas of research in the exploration of youth pathways to hacking, led to the identification of individual characteristics and common pathway factors that influence young individuals to commit cybercrimes. According to key findings from interviews, researchers found that adolescents were more vulnerable to committing cybercrime if they were extremely intelligent, highly computer literate, highly curious about technology, and socially isolated from others that are not similar to them. Additionally, if they were withdrawn, and in need of emotional support and validation online, they would be vulnerable to juvenile hacking. Young people are more likely to take to the path of hacking if they have a lot of interest and skills in technology, are willing to engage in low level illegal internet activities, are easily encouraged to perform illegal behavior, exhibit addictive behavior, lack self-esteem, desire to increase their online reputation, and more. Vince Warrington, director of Protective Intelligence and cybersecurity leader who has helped private companies and the government improve the security of their data, compiled a list of signs that a child may be a hacker. The list was developed as a result of his involvement in a program, called Hackers to Heroes, a program ran by YouthFed aimed at encouraging kids to use their computer skills for careers in cybersecurity instead of cybercrime. According to Warrington, the signs include spending a large amount of time on the computer alone, the use of hacking terminology in their conversations, the use of multiple accounts on one social media platform, claims of making money from online video games, the malfunction of monitoring tools installed on their computers, and other signs that could indicate that a child may be hacker. Parents should lookout for these signs to provide guidance that would steer kids away from committing cybercrime.

Children on the autism spectrum have also been found to possess traits that deem them more vulnerable to being led into cybercrime. A study conducted by researchers at Purdue University suggests that there is a correlation between individuals with traits associated with Asperger syndrome, one of the autism spectrum disorders, and those who engage in hacking, identity theft, and the creation of computer viruses. Rebecca Ledingham, vice president at Mastercard and former cyber agent for INTERPOL's Global Complex for Innovation, stated “there’s no other organic set of offenders that may be predisposed to cybercrime due to the nuances of their disorder”. As kids on the autism spectrum possess traits of curiosity, willingness to learn, and other exploratory skills, they could be more easily led down the path of cybercrime. Kids with autism are often found to be highly skilled in subjects such as math and science. Hyperlexia is a condition often associated with autism, which refers to an intense interest for letters and numbers as well as the advanced ability to read. This syndrome could ease the performance of switching between English and coding. Those with autism are often found to be pattern-thinkers, which could help them avoid logical or syntax errors when writing code because they could easily detect missing semicolons and other instances in which the pattern is abnormal. Photographic memory is another common trait in kids with autism that could allow them to easily visualize a network setup and the potential security vulnerabilities contained by that setup. As kids with with autism often face bullying from their peers, they often turn to online communities commonly associated with gaming for solace. However, Ledingham has pointed out that gaming has been found to be one of the common paths to cybercrime. Given the proper guidance, encouragement, and opportunities, highly skilled autistic kids could use their rare skills to improve cybersecurity and be valuable assets to any organization in the future.

It is important that parents, law enforcement, and industry increase efforts to raise awareness among young people about of proper behavior in cyberspace and the consequences of cyber criminality. Kids’ development of sophisticated technological skills should not be hindered, but there should be guidance as to how they can use their skills in a positive way. As human factors play a significant role in the factors that contribute to kids considering a life of cybercrime, it is important for parents to be more aware of what their kids do online and the risks posed by their activities in cyberspace. Education and knowledge are essential for parents to provide guidance as to what constitutes a cybercrime as well as the legal implications and consequences of such crimes. In addition to providing key study findings in relation to the characteristics and common pathways to cybercrime, researchers from the European Cybercrime Centre, UCD Geary Institute for Public Policy, and Middlesex University, also gave recommendations for the industry on how to prevent youth from engaging in cybercrime. There should be an increase in collaboration among law enforcement entities, industry, and policy makers to foster an online environment in which intervention mechanisms are implemented to deter young people from performing illegal activities. A new study conducted by researchers from the University of Cambridge and the University of Strathclyde explored the different ways in which law enforcement attempts to prevent young people from engaging in cybercrime to see how effective these methods are. According to the findings of this study, the removal of infrastructure and the launch of highly-targeted messaging campaigns by law enforcement are effective at reducing cyberattacks over a longer period of time as opposed to high-profile arrests and convictions of cybercriminals. There must also be an increase in support for hackathons that encourage and recognize young people for their demonstration of ethical hacking skills. For example, the U.S. Army partnered with the security firm Synack to teach kids white hat or ethical hacking skills at DEF CON as they were given the opportunity to learn how to hack a variety of technologies associated with door locks, computer games, hardware, and more, using open source tools and basic command line tools. Young first-time cybercrime offenders should also be given a second chance at using their skills ethically and legally. Police in the U.K. and the Netherlands established a legal intervention campaign, called Hack_Right, which would give individuals between the ages of 12 and 23 who have been suspected of committing cybercrimes the opportunity to do community service instead of face legal consequences. The community service would consist of 10 to 20 hours of ethical computer training. Following the completion of community service, the young hackers would then be put in contact with professionals who can introduce them to potential career paths and educational courses in support of their interests and skills. The U.K.’s first cybercrime intervention workshop was another initiative aimed at providing rehabilitation for young hackers that have committed low-level cybercrimes and received low level interventions such as warnings or cease and desist orders in order to prevent them going further down the path to high-level, damaging cybercrime. The workshop was also designed to encourage young offenders to consider using their skills for ethical practices and legal jobs in cybersecurity as well as increase their understanding of the consequences they can face if they commit serious cybercrime. This initiative was supported by PGI, BT, IRM, Grillatech, Ferox Security, and the Whitehatters Academy, further highlighting the importance of collaboration in providing intervention for young cyber criminals. There should also be an integration of educational courses aimed at teaching kids about ethical hacking such as the cybersecurity course offered by CodeHS for high schoolers. CodeHS’ year-long cybersecurity course was designed for schools in which there is a lack of advanced computer science departments and faculty with expertise in cybersecurity as it provides training to teachers and students, using a comprehensive curriculum. Students would learn about programming, cyber hygiene, and the ethical implications of hacking. In addition, students would be given a chance to explore career opportunities that would be open to them if they decide to pursue such subjects after they graduate from high school.

If given proper guidance on ethical hacking and online use as well as the opportunities to learn and practice skills in white hat hacking, kids can be encouraged to use their skills to improve cybersecurity rather than engage in cybercrime. In turn, these kids could one day be the next generation of cybersecurity experts to fill the cybersecurity workforce gap, thus increasing the safety of the nation.