Report identifies path from online gaming to cyber-criminality
CREST NCA report launch
A link between online criminality and online gaming has been identified in a report released jointly by the National Crime Agency and CREST.
The launch event was held today at IBM's offices on the Southbank in London.
“Identify, Intervene, Inspire”, authored by the NCA's National Cyber Crime Unit (NCCU) and CREST, identifies a pathway that many young cyber-criminals have followed from online gaming to serious cyber-crime. By tracing this path, it's possible to trace the path back to the source and hopefully identify vulnerable teenagers who might also follow the same pathway.
CREST and the NCA also hope to design intervention strategies to deter or distract these children and guide them into socially more useful activities.
According to CREST president Ian Glover, the pathway they identified begins with online gaming which can expose participants to several opportunities to get involved with low-level hacking. This may start with relatively harmless gaming cheats and gaming modifications but then graduates to participation in hacking forums.
CREST's research was based on a series of workshops with CREST members who work as penetration testers and were heavily involved in gaming and coding when they were children.
While the majority of children who play online games don't progress to criminality, participating on hacking forums inevitably exposes vulnerable young people to cyber-criminals who may begin to groom them to commit a series of more and more serious computer network attacks.
The report attempts to put the pathway into context by describing what is happening in the world around the affected child as they are progressing down the path, looking at the status of relationships and level of parental understanding of what the child is doing online.
Based on this analysis, it suggests 14 intervention points to identify and divert vulnerable children.
Also presenting at the conference were two representatives from the NCA who did not wish to be identified.
They presented the results of data analysed from Project Dermis, an investigation into online crime which supports the report's conclusions.
The project accumulated a database of 750 suspects with an age range of 14 to 18 years. Out of this number, police were able to identify names, email addresses and in some cases physical addresses for several of these people.
As part of Dermis, police sent 350 warning emails to people who, they said, had shown an interest in crime by downloading hacking tools.
They were also able to mail physical letters to 200 suspects warning them against their activities. These were designed to demonstrate to the suspects that they were not immune from identification simply because they were operating on the internet.
In addition, they hand-delivered 99 'cease and desist' letters to suspects who had not only downloaded the hacking tools but also used them.
There were more than 100 arrests as a result of Dermis, of which 21 were in the UK.
One of the NCCU's goals was not just to punish or warn the young people but also to try to divert them away from crime into more socially useful activity. Information about alternative IT challenges such as coding clubs and the Cybersecurity Challenge UK was included with the letters and emails.
“We realised that we needed to show them opportunities that were constructive,” one officer commented. “The feedback was that it was very important to link to positive diversions – we have to be more progressive in a digital world.”