Cyber crime is on the increase and prevention is always better than cure. So, it follows that law enforcers must find a way to identify those at risk of offending and intervene early, often via schools and colleges.
Jisc's circumstantial evidence indicates that a significant proportion of cyber attacks at UK colleges and universities are probably launched by students. Analysing dates and times of incidents shows that common attacks are most often carried out during term time.
These students often have the kind of computer skills that, when used legally, are very much in demand by all kinds of organisations – including Jisc - and, with experience, they can command substantial salaries.
It’s this message that theNational Crime Agency’s National Cyber Crime Unit (NCCU) is trying to get across via engagement with schools and colleges. Its Cyber Choices scheme, supported by officers within the regional organised crime units, hopes to reach and turn these at-risk youngsters away from their dark path before it’s too late.
The chances of anyone who’s been caught and convicted of cyber crime as a young person from going on to realising a lucrative career in the cyber industry are likely to be negligible.
The problem, says the NCCU’s Alan Merrett, is two-fold: many students don’t realise they are close to, or have in fact, committed criminal offences, and even if college staff recognise the problem, they aren’t keen to call in the police either through lack of knowledge or perceived reputational risk. The answer, he feels, is to intervene early.
“The youngest referral so far was aged just eight. That child was using basic social engineering methods on his mates to guess passwords. Some people might say that's quite clever, but I think it’s worrying. By the time they get to secondary school, there are quite a few kids that are already familiar with this sort of activity.
“Education and intervention are pillars of the government’s crime prevention strategy, and our work is basically all about crime prevention.
“If the school or college don’t report it, we don't get sight of the problem until something major happens, and then it's probably too late. The police will probably visit the educational organisation concerned and the individual may well be arrested.
“What if that person had the engagement at an early stage, before any offence was committed? The outcome could have been very different. If a student is interested in cyber security, pen testing, and networks, and is exploring around the edges of what’s legal, we can explain why it’s a bad idea to go down that route.
“In many instances, they are just unaware of the Computer Misuse Act 1990, but once they've got a conviction under the Act, that virtually kills their career if they want to go into that field at a later date."
Highlighting the risks
“Our focus is raising awareness of where the line is and the risks of crossing that line. For example, it’s on the fringes of legal activity to scan networks looking for vulnerabilities, but it’s definitely illegal for someone to use the weaknesses they find to ‘break’ in and steal data.
“Then there’s the question of what they do with the information on weaknesses. There are ways of reporting vulnerabilities legally. What they don't want to be doing is going on to forums on the dark web and boasting that they’ve hacked into this school or college or that government department or company.
“We want to get across that they can still experiment, but we direct them how they can do that in an appropriate environment and within the law.”
Some individuals demonstrating suspected low-level offending are given a free license to Immersive Labs, where, in exchange for signing a behaviour contract, they can experiment and test their skill in a safe and controlled environment. In Merrett’s experience, at least a couple of young people who’ve gone through that process have moved on to better things.
In one instance, a student at college had downloaded the WannaCry virus on to a college computer. Thankfully, it didn’t propagate further, but he was subsequently expelled and the incident referred to the police. The college decided not to press charges and a ‘cease and desist’ visit was carried out instead. The student was placed on the Cyber Choices programme. His risk reduced over time because of his good engagement and understanding of the law, which resulted in him getting a job with a cyber security company in IT maintenance.
Engaging college staff
What’s lacking, says Merrett, is proper engagement from schools and colleges, where computer misuse is often not taken seriously. He explains:
“I still think it's regarded as larking around rather than breaking the law. What I try to get across is that the staff are letting students down if they don't deal with this kind of behaviour as soon as it’s identified. I want them to involve us when the problem is still at an early stage, when we’ve got a fighting chance of turning things around.”
Merrett’s message is simple: “Don't sweep it under the carpet. You're not the only ones out there encountering these issues and if it goes too far, there’s no getting away from the fact that an offence has been committed and it’s time to engage with the Cyber Choices programme. If it’s not stopped, your organisation could be at risk, too.”
Alan Merrett is speaking at the free-to-attend Jisc security conference (9-11 November).
The Cyber Choices programme website contains useful information and additional resources for teachers, parents and carers.