European authorities are testing out the idea that not every cybercrime investigation has to end with a hacker in handcuffs.
Police in the U.K. and the Netherlands have created a legal intervention campaign for first-time offenders accused of committing cybercrimes, officials explained Tuesday at the International Conference on Cybersecurity at Fordham University. The effort, called “Hack_Right,” is aimed at people between 12 and 23 years old who may be skirting the law from behind their keyboard and not even realize it.
The experiment, which began last year, already has involved interactions with more than 400 young people in the U.K., the officials said.
“We do this … to get out and find them and get them into computing clubs before we have to investigate someone and lock them up,” said Gregory Francis, acting national prevent lead at the National Cyber Crime Unit of the National Crime Agency. “[Cybercrime] is not a law enforcement problem. It’s a societal problem.”
The average age of an accused cybercriminal is 19 years old, according to Floor Jansen, an adviser to the Dutch National High Crime Unit. There is an “overrepresentation” of autistic traits in those offenders, she said, and the recidivism rate is relatively low compared to other crimes.
Many of those people are motivated to try new tricks online to impress their friends, such as stealing a password with a harmless intent, and don’t have the social context to understand that what they are doing is illegal, Jansen said. And unlike traditional crimes, any damage is physically invisible to the perpetrator.
“Most offenders will go to a forum right on the clear web … and buy a remote access tool for $40,” she said. “If they don’t understand what it does, they can call a help desk. So it doesn’t seem too illegal.”
Upon determining a first-time offender could be responsible for a security incident, police representatives visit with the suspect and explain what happened. Instead of threatening legal consequences, they push the teenage hacker into a kind of community service that consists of 10 to 20 hours of ethical computer training, and then put them in touch with professionals who can explain possible career paths and point to the best education based on their interests.
Jansen pointed to an unnamed student who hacked his school in order to change his age to 19 years old, thus allowing himself to miss more days than would be otherwise permissible. The punishment was a 20-hour program overseen by a probation officer and a two-day assignment meant to help the teen “play by the rules,” she said. Contrast that with an unrelated case earlier this year, in which New Jersey police arrested four students accused of hacking their school. Administrators warned the consequences are likely to be “severe.”
In order to qualify for the program, suspects must confess to their actions, not have a remarkable criminal history and be prepared to change their behavior.
There is a stark difference in the European and American approaches to cybercriminal enforcement. Bulgarian police last week released a 20-year-old security specialist accused of hacking the country’s National Revenue Agency, and accessing information about 5 million people, most of Bulgaria’s population. Meanwhile, suspects accused of similar crimes in the U.S. often face years in prison.