Speaking at the Trend Micro Cloudsec conference in London, Trend Micro’s VP security research, Rik Ferguson, said that it is important to know what is going on inside the cyber-criminal’s mind, and what their motivations are.
Leading to a discussion around hiring ‘black hat’ hackers, the panelists agreed that there are instances where teenagers will use a malware tool to get ahead in an online game without realizing the criminal aspect of what they are doing. Paul Hoare, head of cybercrime incident management at the NCCU, said that there were opportunities for white hats to mentor these people “as they can be arrested at 15 and it is an issue we see a lot of.”
Asked by Ferguson if it was right to hire black hats, Charlie McMurdie, former head of the Police National Cyber Crime Unit and former senior Cyber Crime Advisor at PwC, said that it is easy to stereotype and not hire a certain person as “they present a risk and a vulnerability to your organization.” She explained she had come across numerous hackers who were employed by numerous businesses, but when you talk to them about how they committed their attacks, it becomes clear it does not require a lot of skills and a lot of youngsters are not that sophisticated and subsequently are arrested and charged, and later hired by businesses.
“Where they are really useful sometimes is to understand their motivation and why they did certain things, and how they got involved in certain acts, rather than hiring them for their technical capability – that is a big stereotype as some of them are very clever and very well informed,” she said.
“The debate is really on whether you would trust a hacker who has committed that offence to run loose within your organization and within your network.”
McMurdie added that some of those hackers, who were arrested as teenagers, are now doing Masters degrees and research in the cybersecurity arena.
“I think early intervention is a great opportunity, particularly with the youngsters.” She likened practising and honing skills like a sportsman would, and praised work done by industry to create environments to develop skills and motivations.
Ian McCormack, technical director for risk at the NCSC, said he agreed with that concept, as an important attribute of a person is an inquisitive nature, and an interest in how things work. “I don’t want to draw this as black and white, but look at their motivations,” he said. “It is far more productive for everyone if we can channel that into a positive direction, and encourage them to look at things like Cyber First and Cyber Security Challenge that they can participate in.”
Nicole van der Meulen, senior strategic analyst at Europol, argued that until now it has been very black and white, and when arresting a teenager “you basically commit them to a life sentence and that is very problematic.”
She added that role models would have to be within their peer group for them to take notice, and teachers of today may not be equipped with the right education.
Asked by Ferguson if we need to do more within schools as an industry, Hoare said that the issue is commonly that the pupils know more about the subject than the teacher, and active engagement has had a positive response.