Teenagers caught carrying out hacking and cyber-attacks could soon be attending a rehab camp that aims to divert them away from a life of crime.
The first weekend camp for offenders was held in Bristol this month as part of the National Crime Agency’s (NCA) work with young computer criminals.
Attendees learned about responsible use of cyber-skills and got advice about careers in computer security.
If the trial proves successful, it will be rolled out across the UK.
The people picked to attend the residential weekend were known to police because they had been caught carrying out one or more computer crimes, said Ethan Thomas, an operations officer in the NCA’s Prevent team, which engages with young cyber-offenders.
‘Attacks, attacks, attacks’
Hundreds of fledgling cyber-criminals have been contacted by the NCA as part of its Prevent work. Some received letters warning them that their online activity had been spotted and some were visited at home by officers.
The seven young men attending the weekend camp had gone further than many the NCA is aware of. They had either been arrested, visited by officers because they were spotted using tools or techniques that break UK computer misuse laws or been cautioned by police because of offences committed at school.
They had been caught defacing websites, knocking servers offline and carrying out hack attacks that let them take over restricted networks.
One attendee said an early fascination with numbers and his accidental “hack” of a primary school network that locked everyone out of the system, got him hooked on computers.
The skills he built up were put to malicious use later on, he said, because they were a way to escape the bullying he suffered at school.
He used technical vulnerabilities to break into networks by exploiting vulnerabilities and used psychological tricks, known as social engineering, to force people to cough up details that helped him burrow further in.
“I manipulated people’s feelings and thoughts to my own advantage,” he said. “It was all attacks, attacks, attacks and nothing on the good side.”
One attack on a company website was done just for “mischief” but left the organisation behind it with a hefty bill as it struggled to recover.
“I didn’t mean to do it,” said the young man. “I had no intention to cause harm.”
The investigation into the attack led police to the teenager, who was then arrested. He was given a two-year suspended sentence along with a series of other conditions – one of which was to attend the weekend rehab event.
Teenage cyber-offender: ‘Exciting and fun’
Originally it was me and two other friends who, just for a bit of fun, tried to see what we could do. We tried to break into our school’s network.
We ended up creating our own administrator account that gave us full access to the school’s monitoring system. We could control people’s screens, we could send them messages, we could change passwords.
It was quite exciting just seeing what we could do – trying stuff, and if it worked, then it was really exciting because it was, ‘Oh, we didn’t expect that to work.’ We’d take that further and go on to the next thing and the next thing until we had that access.
It was exciting. You work hard at a little task and then when you finish it, you want to take it a bit further. You want to carry on and then it gets to the point that you realise you shouldn’t carry on.
And then it’s too late.
“The weekend was designed to do a few things,” said the NCA’s Ethan Thomas, “but mostly it was to positively divert those that could be putting their skills to a more positive and legal use.”
The two-day residential camp reinforced messages about using technical skills responsibly and called on industry professionals who gave talks about jobs in cyber-security. It had the air of a school trip as in that much of the fun was closely supervised and had an educational bent.
Attendees learned about the different roles computer security staff take on including forensic analysis, network protection and mounting attacks on companies – known as red teaming. They also did coding challenges, took each other on in hacking games and learned about bug bounty schemes. These schemes could mean they would get paid for finding and reporting the loopholes they used to exploit for their own ends.
After the weekend, one attendee said: “Now I know cyber-security exists it sounds like it would be something I really, really want to go into.
“You get the same rush, the same excitement, but you are using it for fun still, but it is legal and you get paid,” he said. “So, it’s every kind of benefit.”
Mr Thomas said the idea for the event grew out of an NCA research project that compared the hacking skills of people on both sides of the law.
“It measured up the profiles of different offenders we had and compared it to those of talented people in the industry,” he said. “What we found was that the only sole difference within the stories was that the industry members, at some point, had an intervention.”
Mr Thomas said these pivotal moments in the career of a young person came from different sources – parents, guardians or teachers – but the guidance given demonstrated how effective such an intervention could be.
“The skills are so transferable with this crime type,” he said. “If you have good cyber-skills there are many, many qualifications you can take.”
He said the people who took part in the weekend would be monitored to see how their experience changed them. The NCA said it was planning to introduce similar weekends across the UK if they proved to be able to set young malicious hackers on the straight and narrow.
Solomon Gilbert, a former offender who now runs his own cyber-firm, Ferox Security, spoke to attendees about his past, which was very familiar to many of them.
“I got into more and more trouble for hacking inside of the school,” he said. “Hacking student emails and things like that.”
“I was getting drawn in to making my own malicious code and making my own exploits,” he said, adding that he went on to steal sensitive information solely to satisfy his own curiosity.
Time on the computer also helped him cope with his autism spectrum disorder as it helped quiet the “noise in his head”, he said.
With the help of a “brilliant” IT teacher, Mr Gilbert found his way to a job helping defend firms rather than attacking them.
“Everybody in the cyber-security industry has one person that they have met who has gone, ‘Well, you’re very talented at this so let’s get you to do this as a job,'” he said. “Everyone has that.
“For me, all this guy did was show me that I could have just as much fun, and it could be just as mentally profitable on the good side as it was on the bad,” he said.
“It was a small thing, but it had a hell of a lot of impact.”
This week BBC News is taking a close look at all aspects of cyber-security. The coverage is timed to coincide with the two biggest shows in the security calendar – Black Hat and Def Con.
We will have further features and videos on Wednesday, and then coverage from the two Las Vegas-based events over the following days.
Follow all our coverage via this link