When talking about criminalization and risky/offending behavior in relation to cybersecurity, we need to keep in mind the context of these processes, since it frames developments in the industry too.
Generally, over the past 30 years there has been a shift in criminal justice (CJ) in the western world from rehabilitating people to managing the risk they are perceived to pose to society. The trend originated in the USA and seems to be intensifying over the years, with other jurisdictions following their example. This has led to neglect of other elements that help us understand crime (e.g. social environment), a continuous targeting of young people and increased fear of crime. So, how do criminalization and risky/offending behavior relate to cybersecurity?
Criminalization can impede the efforts of the cybersecurity industry by limiting lawful use of methods/tools and discouraging people from developing relevant skills and becoming part of the industry. Historically, criminals have been (mis)represented as highly capable professionals and this is the case with cyber-criminals too (however cybercrime has been deskilled and can be purchased even as a service).
To make matters worse, there are also fears that technical knowledge shared by and between experts might boost criminal skill; however, this has not been proven. Most of the attacks have taken advantage of low security standards and known vulnerabilities (sometimes known even for a decade), not sophisticated methods.
Overplaying the professionalization of cybercrime promotes anxieties about the dark side of technology, and is part of what feeds the public’s fear and leads to calls for excessive control measures. Ongoing discussions around sharing knowledge, tools, even disclosure of vulnerabilities can be traced back to this and can lead to restrictive regulation and criminalization of hacking tools and methods (already taking place in the US and other jurisdictions).
Examples of this are plenty: the ban of hacking instructional videos by YouTube, the discussion about restricting or even criminalizing the use of certain software and tools (most prominently Kali Linux and Tor), security researchers threatened with prosecution (even prosecuted) and/or retribution for researching vulnerabilities. Suppressing knowledge and criminalizing tools make everyone’s job harder, restrict the talent pool and make us less secure.
As young people are more likely to display risky/offending behavior, we need tailored initiatives to support young people developing cybersecurity skills at the early stages of learning. One well established fact is that the majority of people are most likely to offend by the age of 20, after that people are less likely to offend, they grow out of it.
At the same time, we know children as young as nine attend coding clubs, meetups, and conferences developing skills fundamental to cybersecurity (e.g. coding, computing, engineering, etc.). Unfortunately, when we combine the early onset of developing cybersecurity skills and the increased likelihood of risky/offending behavior in adolescence with the previous point on criminalization of methods, we see further criminalization of young people and prosecutions under computer misuse legislation (again the US is leading the way).
It’s worth noting that the more young people progress through the criminal justice system, the less likely they are to stop the risky/offending behavior.
From previous studies we know about the importance of peer support, changing identities and learning environment (school or any form of learning); in cybersecurity, initiatives should focus on educational settings and mentoring. There is a variety of learning sources by the community available online that can be freely accessed in most cases (e.g. Cybrary, GitHub, Hack the Box, etc.), but also offline local meetups.
Peer education which is widespread in the community too can be combined with these sources to boost skills and create an ethical learning environment. Based on my research with the infosec community, peer learning combined with mentoring from cybersecurity experts has great potential to provide guidance during the formative years or whenever one is entering the field.
Establishing these links fosters positive influences and can help young people and adults build and maintain an ethical approach to hacking (or make a successful transition if they have previously offended).
Peer education and mentoring initiatives aimed at young people developing cybersecurity skills should be established as part of good practice in the industry to promote ethical hacking. There have been combined efforts of the cybersecurity industry and law enforcement with early-intervention measures such as the NCA Intervention Days: young people learn what is considered criminal behavior under the Computer Misuse Act 1990 and are presented with career alternatives in the cybersecurity industry. Measures such as this are a good start, but they should be further developed outside CJ to avoid implications such as labelling and further risky/offending behavior.
The cybersecurity community should have a more active role and is ideally placed to develop initiatives that will allow young people to grow out of risky/offending behaviors with its support. Since young people can show risky behaviors but avoid prosecution if not caught, attention should be paid to the early teenage years of young people developing cybersecurity skills; they are key to forming an ethical hacking mentality and pathways out of risky/offending behavior.
This is why peer education and mentoring initiatives should not just take the form of CJ interventions; they should be considered good practice in the industry as expert guidance is needed to mitigate the risky/offending behavior more likely to take place at a young age.
Building inclusive initiatives around mentoring and peer learning instead of suppressing knowledge exchange would enable the cybersecurity industry to avoid criminalization of its own talent and practices, promote ethical hacking, reduce the skills gap and work towards a safer web.
Yanna Papadodimitraki has worked in criminal justice both as a researcher and a practitioner during which she developed an interest in interdisciplinary research and research-practice collaboration. She has been involved in projects on cybercrime and cybersecurity, youth offending and offender rehabilitation. Her current research explores Information Security and hacker communities in United Kingdom and Greece and is part of a cross-institutional, interdisciplinary project funded by the Engineering and Physical Sciences Research Council (EPSRC).