Harnessing hacker talent early yields promising results

Many parents are struggling to keep their teens engaged and busy while home from school during the COVID-19 health crisis. For some young people in the UK, help is at hand thanks to a program from the UK government.

Law enforcement and government cybersecurity officials have launched a program called Virtual Cyber School, which aims to teach young UK adults aged 13-18 cybersecurity skills. They can “learn how to crack codes, find security flaws and dissect criminals’ digital trails whilst playing as a cyber agent in our Cyber Protection Agency,” says the site.

This is a joint effort between the National Cyber Security Centre (NCSC), which is part of GCHQ, the National Crime Agency (NCA), and the Department for Digital, Culture, Media and Sport. It isn’t the government’s first initiative targeting young tech enthusiasts. The NCSC launched its existing CyberFirst education program in 2016 to teach young people about cybersecurity. This initiative now also offers online virtual summer courses for young people interested in learning more about computer science and ethical hacking over the school holidays.

As part of this program, the NCSC operates Cyber Discovery, an extracurricular online initiative offering additional learning and game-based activities, which includes CyberStart, a program that takes young people through an initial online assessment and three other stages: Game, Essentials, and Elite. Each stage is by invitation only, based on the student’s performance during the prior stage.

The new Virtual Cyber School program includes a free license for CyberStart Game, with which it shares some content. Students who participate in the new program will get an invitation to participate in Cyber Discovery’s June intake. They also get access to the NCA’s CyberLand program, which is another series of online games introducing key concepts in cybersecurity.

Reading between the lines, this seems like a way for the NCSC to cast the net wider and reach kids who may find themselves at a loose end in front of a computer during the lockdown. Idle hands are the devil’s workshop, and by giving kids a healthy alternative the NCSC could divert them from venturing into dangerous and illegal activities online.

Let’s be clear: Not all kids who like a spot of Red Dead Redemption 2 during their downtime will end up behind bars. Nevertheless, research has shown a clear link between more obsessive gaming habits and illegal activity. A joint study between ethical hacking organization CREST and the NCA charted many kids’ path from online gaming into game cheats, participation in hacking forums, crime to ‘beat the system’ and then crime for financial gain. Along the way, there’s no shortage of organized online criminals eager to snag a kid who’s feeling disenfranchised in real life and craves online validation.

Sometimes, young people just stumble into bad scenarios, driven more by simple curiosity than financial gain. Samy Kamkar, author of the Samy worm that took over MySpace in 2005, began by modifying video games to gain an edge over his opponents. Then, bored with the playing, he continued a cat-and-mouse game with the gaming software authors, subverting their anti-modding controls just for fun. The Samy worm was just an intellectual experiment, but it was more successful than he expected and it landed him with a felony record.

Aware of these dangers, UK law enforcement is trying to harness young talent as early as it can, ideally before it’s misused. Even kids collared for more serious crimes than choking a gaming opponent’s connection sometimes get a way out.

Take Cam Coller, now a senior SOC analyst at security company CSA, who was an avid gamer when he was a teen. Disputes with other gamers online got him into DDoS attacks, which he used to slow down their connections and make them lag. After escalating his attacks into hacktivism, he launched an attack on SeaWorld, causing thousands of dollars’-worth of damage.

A DDoS attack on his local police station after a dispute with the constabulary got him arrested, but instead of jail time he got a chance at redemption: a spot in a National Crime Agency bootcamp for hackers that aims to reform young people that are venturing down the wrong path. He learned more about cybersecurity there than he ever had as a misguided script kiddie. You can listen to his story on the excellent Darknet Diaries podcast.

With industry body (ISC)2 now estimating a shortfall of over 4.2m professionals online, up from 2.93 million in 2018, tapping young talents serves a double purpose. First, prevention is better than cure: it catches them early and gives them a chance to apply their talents in a more constructive way before they fall into a life of crime. Second, it diverts those talents into an industry that sorely needs new skills to stop attackers from compromising systems at hospitals, banks, and small businesses nationwide.

There don’t seem to be many – if any – such young hacker rehab programs in North America. Although some hackers have been co-opted to work with the FBI and the Secret Service, they’re generally flipped long after they’ve started committing serious crimes. Canadian hacker Michael Calce, aka Mafiaboy, only got the help he needed after serving time for his string of DDoS botnet attacks. Even then, he had to find his own mentor, another pen tester, who helped him hone his skills for good.

The UK’s success in finding and flipping young tech talent before it goes too far down the criminal road is an example that authorities in North America would do well to follow. After all, isn’t an ounce of prevention worth a pound of cure?


Bookmark and Share