There’s something magical about remote control.
The world I grew up in involved getting up and crossing the room to select from one of three channels of TV – or turning the box off. Today, remote controls festoon every surface of my living room and the idea of getting up to operate a device is as anachronistic as using the word “box” to describe a television.
My youngest son still describes my ability to open his car window from the driver’s seat without apparently moving a muscle as “daddy magic”, even though he has grown up with wireless devices and remote controls. There is definite wonder and wizardry in doing things at a distance that appeals to the child in all of us.
My earliest home computer was an isolated device, a closed system – connected to the outside world only for power. The BBC B computer I had access to at school, however, was a member of a Local Area Network (using Acorn’s Econet technology). It was discovered that using certain simple typed commands, one could make a computer on the other side of the room make silly and annoying noises without the person sitting at the desk doing anything.
No-one knew who or where this knowledge came from – but the world immediately split into wizards – who knew the secret of this magic (and of protecting your own computer from other wizards) and non-wizards (I guess the modern term would be muggles). The secret of the *PROT, *REMOTE and *NOTIFY commands was simple but jealously guarded. Those people who knew gained status and the respect of their peers.
Looking at the recent National Crime Agency report on pathways into cyber crime, it is immediately apparent to me that my earliest introduction into the magic of networking (and abuse of networking) is still alive and well.
Teenagers are fascinated first by computer games and controlling them, then by the wonder of being able to cast their influence over distances in competition with other gamers. They collect in gaming or hacking forums where they seek arcane secrets to be one of the knowledgeable ones – one of the mentors, the teachers, the wizards. They search YouTube for good quality how-to guides on hacking. Those hackers who help others in this community and share knowledge to worthies gain status and reputation. Far from the solitary pursuit it is imagined to be, cyber crime is driven by and guided by strongly hierarchical social interactions.
According to Arbor’s 12th WISR report, the vast majority of DDoS (Distributed Denial of Service) activity is based on young gamers using DDoS tools (booters or stressers) against other gamers. Using these tools becomes normal to these young people. It is a short step from there to using DDoS tools against non-gaming targets, or getting involved in more sophisticated black magic – web exploits, remote access trojans, malware, bots, ransomware and so on. It’s not about money initially – it’s that childhood wonder, challenge, ambition, competition and desire for recognition that results in cyber crime.
“The average age of suspects and arrests in cases handled by the National Cyber Crime Unit (NCCU) in 2015 was 17 and 61% of these hackers started before the age of 16. Many reported that early official intervention by the police would have changed their course – that they did not see the criminality, the potential damage, the path that they were following.”
Look no further than this British youth, receiving a 2-year sentence in a correctional facility after masterminding 1.7 million distributed denial-of-service attacks (DDoS) from his bedroom in Hertfordshire. Again it was attacks on gaming servers that played a big part in his sentencing.
These young people are a fantastic potential source of skills for the UK if we can catch them at the right time and in the right way. Only a small number of youngsters get drawn from this pool of apprentice wizards into using “dark magic”. Each one represents a life damaged, or ruined by a lack of positive role-models or greater connection with the law or victims of cyber crime. We need to stop denigrating these youngsters as “script kiddies” and start identifying them and reaching out to focus their abilities on the constructive, legal and profitable uses for their technical skills and logical thinking.
The UK government is aware of how important this is. In February, they announced £20m of funds for a Cyber Schools Programme – creating an extracurricular course for 14-18 year olds looking at cybersecurity. Unfortunately, it can only reach 5,700 teenagers between now and 2021 and they still appear to be looking for a suitable delivery partner.
There is also the CyberFirst Bursary scheme (1,000 grants to support studying degrees in cybersecurity) and Cyber Security Apprenticeships for people from 16+ to taste work in critical sectors of UK industry.
However, there are nearly 5 million teenagers in the UK and these programmes can only reach so far. These narrow schemes may not be taken advantage of by the people most at risk of falling into cyber crime and the window for intervention is opening earlier and, one suspects, closing earlier too.
Getting younger teens interested in cybersecurity and keeping them out of the hands of criminals and idiots seems like an easy problem to solve – but this one does not seem to come with a handy remote control.