Can Interventions Turn Teens from Cyber Crime to Cybersecurity?

SAN FRANCISCO — The average age of arrest in the U.S. is 37, but within cyber crime it drops to just 19.

At the 2024 RSA Conference, experts said this is because the U.S. doesn’t proactively do enough interventions to keep youngsters out of cyber crime. But the U.S. could learn a lesson from other countries that have already done so.

And federal authorities are hoping to do just that. Indeed, teenage threat actors like members of the Lapsus$ and the Com and its subgroup Scattered Spider have made a name for themselves in recent years.

“We're seeing increasingly sophisticated cyber crime being conducted by people who are younger and younger and younger,” said William McKeen, a supervisory special agent with the FBI’s Cyber Division. McKeen spoke at RSA. There’s “really significant serious cyber crime like we're seeing that's making the news now — nearly every day a different intrusion — where your question now is, ‘Was that a nation-state actor or a teenager in the United States?’”

The issue is serious enough to warrant a new objective in the updated National Cybersecurity Strategy. It calls for the FBI, Department of Justice and Department of Homeland Security to work across levels of government and the private sector to prevent, disrupt and deter juvenile cyber crime. It also encourages them to do this internationally.

Often, young people start with video gaming before getting into minor cyber crime like website defacement and distributed denial of service attacks, before graduating to ransomware and more serious cyber crime, McKeen said. Sometimes, adult criminal actors also recruit youth, said Abby Deift, director of policy and strategy in the Department of Homeland Security’s Office of the Chief AI Officer, also speaking during the conference.

Low-level cyber crime is also more impactful than its real-world counterpart: a kid defacing a website does more damage than defacing a building with graffiti, Deift noted.

But juveniles’ lighter sentencing may not be enough to scare off teen hackers, and the U.S. has few cyber-specific intervention programs for diverting them onto better paths, the Cyber Safety Review Board wrote in its investigation into Lapsus$.

And it can be hard for adults to notice kids are getting involved in online misbehavior until they’re deep in, said Floor Jansen, team leader of the Dutch Police’s Cyber Offender Prevention Squad.

“Online, people can develop a criminal career at lightspeed without anyone realizing until we are kicking in their doors, and that’s too late,” Jansen said.

So what can we do?

The Netherlands’ multipronged intervention programs aim to deter youth from cyber crime and divert them into cybersecurity careers. There’s plenty of ways to enter the cyber crime pipeline, Jansen said, and there need to be more ways to exit it.

One early intervention is sending police or cybersecurity professionals to give an hourlong talk about cyber crime at schools. The sessions end with a test designed to identify students who have both strong tech skills and a high risk of criminal behavior, Jansen said. Students scoring high in both areas are invited to a free workshop on online risks and cybersecurity careers, incidentally connecting them with peers who have common interests. The program has been popular, with barely any no-shows.

In the U.S., the FBI is looking to schools, the private sector and nonprofit entities to be the main force behind interventions, McKeen said. He envisioned cyber awareness campaigns and games for K-12 students as well as “robust mentorship” efforts to divert at-risk teens. In a current U.S. university pilot program, youths who commit lower-level cyber crime can be redirected to a free 12-week online class for college credit.

Another intervention is even simpler. Kids can easily find cyber attack how-tos by searching online, and so some nations now run warning ads that pop up alongside those same searches, detailing the punishments for hacking, Jansen said. These anti-hacking ads are low-cost, easily scalable and effective because they catch individuals right at the moment when they’re considering committing an offense.
The Netherlands also offers a community service program for first-time cyber offenders up to age 30 who are re-entering society — a kind of restorative justice approach that McKeen said the FBI would like to help build in the U.S. In the Netherlands, participants work under the supervision of a probation officer to put their tech skills to good use paying back society, Jansen said. For example, one participant developed a website to test whether Internet of Things (IoT) devices have become part of a botnet. So far only one participant has recidivated.

Failing to intervene means missing chances to recruit tech talent for good, prevent cyber crimes and steer youth away from criminal records with lifelong ramifications. Felony records in the U.S. often mean obstacles to jobs, housing, financial services and civic volunteering, noted McKeen.

Reaching out to kids with opportunities to use their skills in legal ways can make a real difference.

“We need to do more to give every one of these kids a choice of becoming a cyber professional instead of a cyber criminal,” McKeen said.