17, 19 and 20. Those are the ages of the suspects in both the recent Kido nursery hack and the April attacks that left British retailers Marks & Spencer and The Co-operative with reduced services and millions of pounds down.
The same gang who claimed responsibility for the M&S hack also targeted Jaguar Land Rover in August, halting global production and affecting thousands of businesses who rely on sales to JLR to support their own employees.
Head of International Business Development and Sales of Group-IB.
In the past, such attacks on industry behemoths were largely carried out by state-sponsored hackers from nations such as Russia or North Korea. But the vast majority of suspects identified in recent high-profile cyberattacks have two things in common: they’re English-speaking, and they’re young.
At a time where our younger generations are facing a choice between using skills for good and bad – it’s critical we sway them towards careers in the cybersecurity industry.
Where are young people learning how to hack?
The sudden spike in youth cybercrime might indicate a rise in the number of young people learning how to hack - but there’s another reason: the growing accessibility of ransomware, peddled by an increasing number of Ransomware-as-a-Service (RaaS) suppliers.
RaaS groups supply the programs which affiliates (like the teens arrested in the M&S and Co-op hacks) then use to target specific businesses.
The affiliate programs make it easy for wannabe hackers to access the infrastructure needed to break through an organization's security measures - meaning they don’t have to be highly skilled hackers in their own right.
In return for use of their platform, the RaaS group takes a cut of the earnings an attack generates from affected businesses. Most often this comes from a ransom, which is paid to recover the encryption key to decode stolen data and keep it from being published on the web.
What’s driving young people towards cybercrime?
So, hacking is getting more accessible. But why is it attracting an increasing number of young people?
Fergus Hay, co-founder of youth cyberskills initiative, The Hacking Games, recently spoke on Group-IB's Masked Actors podcast to the common motivations for young cyber criminals. He summarized these as - ‘The four Fs’: fame, frustration, finances and friends.
High-profile cyberattacks satisfy all of the above - they provide their perpetrators with recognition, with an outlet for growing dissatisfaction, and with a potentially very large payout from organizations who bend to the ransom demands.
As for the community aspect, Fergus suggests that this has its roots in online gaming communities - where many young people get their first taste of ‘hacking’. In games, you've got a live laboratory of testing, hacking, modding, breaking games, doxxing each other, and creating aim-bots.
All this experimentation is developing their skillset, and it's rewarded all the time with XP points and promotions and competitions.
In gaming communities, hacking is therefore not only encouraged but legitimized.
Another potential root cause lies in the way cyber talent has been historically sourced and developed. Traditional recruitment often focuses on formal education and training, whereas self-taught, gifted individuals who don’t follow this conventional path are overlooked.
Fergus also notes that an overwhelming majority of cyber talent are neurodiverse, which may make traditional recruitment paths even more inaccessible.
With legitimate career paths appearing out of reach, talented individuals with strong cyber skills - and knowledge of what those skills might earn them if put to use illegally – are prime targets for recruitment by cybercriminals organizations.
Ethical cybersecurity’s image problem
The cybersecurity skills gap is not a new issue. In September of this year, the UK Government released a study which showed that almost half of all UK businesses struggle with a ‘basic skills gap’.
The top three perceived skills gaps within the cyber sector were in ‘auditing and assurance’, ‘digital forensics’, and ‘cryptography and communications security’.
These are areas where young talent could thrive - and yet, while talent shortages have shrunk since last year, there’s still a long way to go.
One potential reason is the perception of cybersecurity roles amongst young people; they’re viewed as dull, or overly technical, lacking the allure and appeal of underground criminal work. Just compare the pop culture imagery of a mysterious, elite hacker to that of an IT professional haunting a corporate basement.
This image problem has real consequences. Without convincing incoming digital talent that cybersecurity is a viable, desirable career, the industry will continue to lose skills to more ‘thrilling’ environments.
Where do we go from here?
To combat the rise of youth cybercrime, the industry needs to do more than bolster security perimeters. It needs to address the social factors drawing young people towards criminality in the first place.
The image of cybersecurity needs to shift, to entice new talent towards legitimate career paths - but so does the image of a good hire.
Organizations must look at their hiring policies and redefine what a good hire looks like. It's time to rethink how the industry engages with potential talent, reaching them where they are spending their time - whether that’s in a gaming environment or on Discord servers.
And, we have to look beyond the traditionally accepted candidates to fill the skills gap, reaching those outside of the higher education system and in neurodiverse communities, with opportunities to develop skills and identify career paths.
Recent cases have overwhelmingly shown that young people in the UK and beyond have the cyberskills necessary to make a huge difference, whether as a liability or an asset. Now it’s down to the industry to show that there are legitimate spaces where their talent will be valued - before they go to the RaaS message boards.
You can listen to the full episode From Joysticks to Jailbreaks wherever you get your podcasts. Just look for ‘Masked Actors’.
We've featured the best encryption software.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://salesfrenzy.shop/news/submit-your-story-to-techradar-pro%3C/em%3E%3C/a%3E%3C/p%3E
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.