Out-Law News 3 min. read
25 Apr 2017, 10:19 am
The NCA's 'Pathways Into Cyber Crime' report (17-page / 528KB PDF) revealed that most hackers (61%) get into hacking before they reach the age of 16. It revealed that the average age of people who were either suspects or arrested as part of investigations by the NCA's National Cyber Crime Unit in 2015 was 17.
Philip Kemp, cyber risk expert at Pinsent Masons, the law firm behind Out-Law.com, said that the impact that these individuals can have should not be overlooked, and pointed to the cyber attack on TalkTalk, which attracted a record £400,000 fine from the UK's Information Commissioner's Office (ICO), as an example where youths had exposed cyber vulnerabilities at a major business. In that case some of those arrested were reportedly aged between 15 and 21.
The report, based on interviews with cyber criminals, highlighted the factors which encourage people to engage in cyber crime.
It said: "The skill barrier to entry into cyber criminality is lower than it has ever been. Off-the-shelf hacking tools, which require very limited technical expertise to utilise, are available at little to no cost for the user. Many illegal products are advertised openly on low level hacking or gaming forums. Video guides and step by step tutorials on how to use these products are readily available on the open web. These circumstances have created an environment in which more young people are becoming involved in cyber crime."
The NCA's study found that "only a small number" of people who engage in "low-level" cyber crime go on to become "very technically skilled" cyber criminals, but warned that "young and relatively unskilled cybercriminals" are nonetheless able to "cause significant harm" as a result of "the proliferation of off-the-shelf hacking tools and services". These individuals are sometimes referred to as 'script kiddies'.
The report also highlighted that young people who engage in cyber crime do not necessarily do so to gain financially.
"Industry interviews, debriefs, and academic literature suggest that money is not the sole or even key driver of behaviour in the majority of UK offenders," the report said. "However, financial motivation should not be discounted. The rise of off-the-shelf hacking tools that can be used to make money illegally may lead to a rise in low-skilled offenders who are involved in cyber crime purely for financial gain. Completing a challenge, a sense of accomplishment and proving oneself to peers are key motivations for those involved in cybercriminality."
According to the report, law enforcement does not act as a deterrent to cyber criminals.
"Individuals consider cyber crime to be low risk," the NCA said. "Illegal activities are discussed openly on many open forums. Forum users offer guides and tips for new users. The law and its consequences are rarely discussed and if the topic is raised it is generally dismissed. Debrief subjects have stated that they did not consider law enforcement until someone they knew (or had heard of) was arrested. For deterrence to work, there must a closing of the gap between offender (or potential offender) with law enforcement agencies functioning as a visible presence for these individuals."
Kemp said: "Sources of cyber attacks are many and varied. We are dealing not only with money motivated criminals, but often technologically-skilled individuals who do not necessarily understand the full implications of their actions – an 18 year old mindlessly testing the security of the website may not consider that that his actions may be a crime."
"It is easy for 'white hat' hackers, individuals who may profess their intentions to be good, to inadvertently perform activities which may stray into criminal acts if their pen-testing efforts are not authorised," he said.
Kemp said the fact that there may be hundreds or thousands of young cyber criminals out there with potential to expose security vulnerabilities in businesses may be "fairly terrifying" for chief security officers. However, he said the report also noted the potential opportunities that exist to deter people from getting involved in cyber crime and instead using their skills for more positive outcomes. There may even be an opportunity to address the cyber skills gap that the UK is reported to be facing if this talent can be attracted to a more positive route at an early age, for example with appropriate awareness in schools, he said.
According to the UK government's recently published UK cybersecurity breaches survey, 68% of large UK companies, and 46% of all UK businesses in total, "identified at least one cybersecurity breach or attack in the last 12 months".
Pinsent Masons recently looked at the 10 things you always wanted to know about cybersecurity but were afraid to ask. Pinsent Masons experts looked at which people are typically behind cybersecurity breaches and the methods they use, what the common vulnerabilities are and what good IT security looks like, and how the legal landscape and regulatory fines are changing.
They also assessed the rising threat of ransomware and looked at how businesses may be able to seek protection afforded by legal professional privilege, and what they need to consider when working with criminal authorities, as well as the advantages of engaging credit monitoring after a breach, and the potential benefits of taking out cyber insurance.