Jonathan Atkin, a stern-looking detective from the UK’s South West Regional Cyber Crime Unit jumps up in front of eight boys spaced out across a small conference room. He paces back and forth, fixing each of them with a long, hard stare.
“Some of you know me,” he says. “Why do you know me?” He points at three boys in turn.
“You came round my house,” mumbles the first.
“You came round my house,” echoes the second.
“You’re my best friend,” says the third, causing a ripple of laughter that breaks the tension in the room. “No,” he says, with significantly less bravado, “I was a naughty boy.”
In one way or another each of these kids, whose ages range between 14 and 19, have taken a wrong turn somewhere on the internet and blundered into muddy waters. Some were caught by the police, others got caught hacking into their high school networks. After receiving cease and desist letters, they were given a choice between a black mark against their name or spending their Saturdays doing something else.
That alternative is the “cyber crime intervention workshop,” essentially a rehab camp for young hackers. It’s one of around five pilot sessions that have taken place across the UK since late 2017. It represents another way to deal with teenagers that show exceptional technical talent but poor judgment. The workshops reroute them, show them they have options and high earning capabilities, that they are wanted and needed by society. The hope is that they will see the light and turn from black hat to white hat before slipping too far down the rabbit hole.
“We didn’t want a whole generation of people to be criminalized,” says Debbie Tunstall, head of education programmes at Cyber Security Challenge, which runs the program in partnership with the UK’s National Crime Agency. “A lot of the time they don’t realize they’re doing something wrong until it’s a little bit too late.”
There’s another benefit: By identifying these individuals, the UK is hoping to build up a workforce that’s more proficient in technology. There will be 3.5 million unfilled cybersecurity jobs globally in 2021, according to a report by Cybersecurity Ventures. The dearth of talent in this area could mean less competitive local businesses, as well as leaving the country vulnerable to out-and-out cyber warfare at a time when hacks are a regular occurrence.
The question is how to get these skilled teens to fill those jobs without taking side trip through the criminal justice system.
The new R&R: Rehab and recruitment
“You can serve this country in ways that few can.”
It sounds like the opening of a motivational army recruitment speech, or perhaps a line from Homeland. But don’t be fooled.
Tall, intimidating and with a serious, booming voice, Greg Francis is a senior officer for the NCA and a former magistrate, and he’s here on a Saturday morning in March in the Concorde hangar at Aerospace Bristol in the west of England to lay down the law with these boys.
But that’s not to say he’s harsh with them. Even though this is technically their punishment, there’s nothing about the day that feels punitive — it’s more like a very intimate careers fair.
Until now, the boys have been quiet and uncommunicative. Some clutch Coke bottles and most gravitate towards the back of the room, keeping their coats on and their hoods up. Each boy has at least one parent or guardian in attendance. Throughout the day, they will be separated and herded into different sessions. The workshop is designed to be an educational experience for both, Tunstall says.
“There is a problem with careers advice, and there is a problem with parents who have no idea what their children are doing,” says Tunstall. “They think: they’re sitting in their bedroom on their computer, aren’t they smart? And they don’t even think they might be putting themselves in any danger — it doesn’t even cross their mind.”
Law and order
Francis, who works specifically on preventing crime, believes the chances are good and that the workshops are necessary, both as a preventative measure against more serious cyber crime, and as an alternative option for judges.
“The agency has no interest in prosecuting young people for cyber crime offenses if we’re not convinced that person knew the implications,” he says. “We might have to prosecute — that’s that. But we should not be prosecuting in the absence of an intervention and that is what this is.”
The concept derives from the idea that these boys — and they’re almost always boys — are offenders who do not fit the traditional criminal mold, he explains. The way the criminal justice system is set up in the UK means there are two things prosecutors need in order to secure a conviction: evidence and proof that there was intent to commit a crime.
For most types of criminals, Francis says, the intent part is usually straightforward, whereas evidence can be tricky to gather.
With teenage hackers, the opposite is often true. When the police turn up at their houses, they usually confess immediately and hand over all the evidence as soon as they’re asked. But intent is harder to prove.
“All the conventional factors that you use in developing and bringing a case forward are absent,” says Francis.
Getting in with the wrong crowd
Gaming often serves as a gateway for young people getting into cybercrime. They realize they have an aptitude for understanding the back end of modding and cheating and start to engage on forums where they learn more and more skills. Bored and bright but not fundamentally bad, they test the limits of their own abilities, until they’re goaded or groomed or just too brazen for their own good and overstep the mark.
“I sympathize with them because I was in their shoes,” penetration tester Callum Vickers tells the parents in a session where the boys aren’t present. “I understand their thirst for knowledge.”
Vickers, who like the teenagers present was also issued with a cease and desist letter, is here to set an example. The UK’s Serious Organised Crime Agency and the FBI subpoenaed his IP address when he connected to a forum without using Tor on his phone and was caught in an international sting operation. Vickers, who now works as a consultant for a cybersecurity company, course corrected himself several months before the sting brought the police to his door. He warns the boys that they can’t expect to commit a crime, cash out and think they’re safe.
16-year-old Ben (whose name has been changed to protect his identity) had a similar experience, he tells me as we make polite conversation over a lunch of sandwiches and muffins. He doesn’t want to tell me exactly what he did, but he says he’d already stopped by the time the police showed up at his house.
“When they first came to my door, I thought this is it, I’m going to prison, my life’s over,” he says. He was relieved to be at the session and not have a criminal record. “I wouldn’t consider myself a criminal,” he tells me.
Ben attended the day with his mother, Sally (also not her real name), who told me she felt trepidation ahead of the event. It’s unsurprising — what conscientious parent would be pleased at the prospect of a Saturday spent listening to police officers lecture them about the wrongdoings of their offspring? But instead of a slap on the wrist, they got reassurance and encouragement.
“We’re very grateful to be doing this, because if we didn’t have this opportunity as a parent I would still be a little bit in the dark about how to help him,” she said.
Unlike Ben, Sally was shocked when the police came knocking. She knew her son spent a lot of time online, but didn’t think much else of it and felt “real guilt” when she discovered the truth. “I was very ignorant,” she said. “I thought: he’s a clever boy, he’s found something he’s good at.”
Ben looks sheepish and explains that while he did receive payment for some of his illegal activities, his main motivation was the social aspect. He fits the model Francis described to me about young hackers.
“For me, I did it because I made a lot of friends,” says Ben. “I’m not too popular at school but I do make a lot of friends online, and if you boost your skills you just make more and more friends. I got involved with the wrong people.”
A punishment that fits the crime?
Still, Ben and the other boys here have committed crimes, and the treatment I’m witnessing might irk people who take a more hard-line approach to criminal justice, or those who have been victims of their crimes.
Beyond rehabilitation, however, this program is designed to lay down the law.
Some of the boys arrive not fully understanding the clear parameters of what is legal and what is not. Many are surprised when the police show up at their door with a cease and desist letter. But they leave fully schooled in the intricacies of the UK’s Computer Misuse Act, including the consequences: Punishment for offenses against the Act can range from six months to life in prison.
They are told cautionary tales about young hackers who got caught and are now living out the remainders of their misspent youths in jail cells. They learn that even if they use booters while gaming they could get in serious trouble. That if they write a bit of code that is later used by someone else to take down a government agency they will be still be liable. That there are victims to their crimes, even if they can’t see them.
I sit in on a session where the boys are given scenarios and asked to make decisions about how they would react. For example, would they hack a school security camera to exonerate themselves from a crime? Later they’re asked whether they would make different decisions based on what they now know about the law. Six of eight say they would.
Should they commit further offenses in future, they won’t be able to plead ignorance. It’s one sure-fire way to establish whether there was intent to commit a crime. “You could turn round to the judge and say: ‘he knew’,” says Francis.
Glimmers of hope
Sally came away thinking the day was “a wonderful opportunity,” both for Ben, and for her, to understand what was going on in his world. Ben was also grateful. “I have a second chance, I can do what I want to do,” he tells me. He knows he wants to go to university, and then become a penetration tester — a kind of ethical hacker. He seems particularly fired up after a talk from Craig Gonzales who heads ethical hacking at BT.
Gonzales showed the boys a sliding scale of what they could earn both at the beginning and the height of their careers and you practically see the dollar signs in some of their eyes.
Sally wonders out loud whether Ben should skip university and do an apprenticeship instead. She’s heard some positive things about the opportunities in one of the parents’ sessions. This seems like a conversation for the two of them, so I take my cue and wander off in search of another muffin. By this stage in the day the parents and boys are starting to mingle and chat more freely.
Later, while the boys are next door taking part in one of the hacking challenges, Vickers tells the adults that unlike them, his parents never even knew that he got a cease and desist letter from the police. “It’s good you’ve got the communication open,” he says.
Prevent, protect, pursue
The Cyber Security Challenge and the NCA plan to hold more workshops across each region of the UK — assuming they get funding. A mix of public-private money supports the program.
Francis wants the gaming industry to step in and do more, both to warn people when they’re breaking the law, and potentially as a sponsor for the sessions.
Even though each workshops only host a small number of kids, the expense of intervening this way is worth it for Francis. The potential havoc that just one of them could wreak if they continue down the path they’re on supersedes that of trouble-making roughnecks their own age or even hardened criminals with years living on the wrong side of the law.
“These lot can cause real damage, millions of damage if not harnessed,” he says. “Normally law enforcement is only interested in how many people are doing it… not with these guys. Ask yourself what can they do?”