Analysis: Sometimes those arrested for cyber crimes are simply fall guys for a professional gang.
Within a week of the TalkTalk hack, a suspect had been arrested under the Computer Misuse Act.
The following weeks would see several more arrests, with the total reaching five by the end of November.
What strikes a casual observer is that the suspects were almost all teenagers, with ages ranging from 15 to 20.
Why are so many cyber-criminals teenagers? Is it just a matter of having enough free time and late nights?
In medieval times, when assaulting a castle, the phrase ‘forlorn hope’ was used to describe the band of soldiers taking the leading part in an attack on a defended position, where the risk of casualties is high.
It is this term that Philip Virgo, Chairman of the Conservative Technology Forum, applies as a metaphor to people like the TalkTalk teens, or ‘scriptkiddies’, as they are termed in the industry.
These scriptkiddies use scripts or programmes developed by others to attack websites or networks.
The connection of teenagers to hacking is nothing new, says Bob Tarzey, Principal Analyst at Quocirca; it dates back to the first ever worm back in 1988.
"In those days their activity was seen as just mischievous and they wrote their own code."
In the late 1990s, 19-year-old hacker Raphael Gray‘s antics brought the FBI to Clynderwen, Pembrokeshire.
"These days, many exploits can be brought off the shelf and launched by whoever, so it would be true to say that those responsible for ‘making the code’ are often not those that use it," says Tarzey.
He says that there is now a broad church of people using this available code, including People’s Liberation Army (PLA) hackers working for the Chinese government or hacktivists inspired by an ethical purpose.
This encompasses the world of ‘malware as a service’: teenagers and non-experts can pay for services and purchase software products online, as Andy Green, senior technical specialist at Varonis notes.
"The services host the malware, so all that’s required is a credit card to get into the hacking business," Green says. "No installation required."
On the other hand, some of the users may be sponsored by a boss, working for money or for other reasons.
Stephen Moody, Solutions Director of EMEA for ThreatMetrix, adds that in this sense, the cyber world is similar to the conventional world of crime:
"All crime gangs need local foot soldiers to actually commit the end points of fraud or crime. It’s no different to the set-up of other types of organised crime – the leaders and the ones who make the most money will be very far away from the local ‘crime’."
Teenagers are obviously vulnerable in several key ways, making them prone to being employed as vectors for cyber-crime: they may be keen to make quick money and may be willing to do so using a questionable means.
The teenagers may use their own equipment and broadband connection, meaning that the trail to the shadowy actors lurking behind them is obscured.
This, of course, raises the issue of accountability. According to Philip Virgo, speaking at an 8MAN event, this means that arrests are the least of the malicious actors’ worries; having the money recovered would actually be far more damaging.
This is where he believes efforts should focus, rather than on prosecutions. He argues that many cybercrimes have been successfully settled outside of court.
In one case, according to Virgo, an asset recovery firm was hired by a city consortium to track down some stolen money.
The firm monitored the routes which the hackers were using, gathered information about their illegal activities, and then effectively blackmailed them with this information to demand the return of the stolen money.
They got it back, with interest.
In the cases where the teenagers are not acting on somebody else’s behalf but using someone else’s code, however, there is no reason that they should be exempt from the laws.
Adam Tyler, Chief Innovation Officer at CSID, uses the metaphor of an arms dealer and a shooter to explain this. Guns don’t kill people, people kill people, the saying says.
Aside from looking outside of the confines of the law and towards the purely financial when hit by an attack, companies should of course try to prevent a breach as far as possible by upping their game in terms of security.
As for the wider involvement of teenagers with hacking, education to remove naivety around the ‘get-rich-quick’ scheme promised by cyber-crime would perhaps be a good starting point.