Tackling cybercrime and the threat of 'script kiddies' [Q&A]
Major cyberattacks still have the power to make headline news, yet reporting and indeed conviction rates for cybercrime remain low. It's perhaps not surprising then that rising numbers of young people are getting involved in these illegal activities.
We spoke to Simon Newman, International Cyber Expo Advisory Council member and CEO of the Cyber Resilience Centre for London, to get his views on what needs to be done to improve reporting and change the mindset of 'script kiddies' for the better.
BN: What are the reasons behind the low cybercrime reporting rates?
SN: I think that there are a variety of reasons why the reporting rate is so low. For businesses who suffer an attack, it's understandable that their immediate priority is to minimize disruption and focus on getting back up and running as quickly as possible. This can mean involving a wide range of internal and external stakeholders with the police, often being an afterthought. I think it's also fair to say that many businesses probably don't think the authorities can help them.
Another reason is that they might not perceive the attack to be serious enough to report it or that the volume of attacks is so high that it is just not practical to report every incident.
For individuals as victims of cybercrime, there may be other reasons. For example, it may be because the person feels embarrassed -- perhaps as a result of falling victim to a romance scam. Another reason is that if they have handed over any money, they may have been reimbursed by their bank and don't think it's necessary to report it to the police.
Perhaps the most worrying trend, however, is that younger people in particular who are by far the biggest users of technology, are growing up with the expectation that becoming a victim of cyber-crime is inevitable and don't consider reporting it for this reason.
BN: Do you feel this is playing a part in not bringing cybercriminals to justice?
SN: Conviction rates are low, and the lack of reporting certainly affects our understanding of the nature and scale of the problem, but I don't think it's having a significant impact on bringing cybercriminals to justice.
However, there are some challenges the law enforcement community faces which can make it more difficult. For example, many offenders are based overseas where different legal systems add complexity when trying to bring them to the UK to face trial.
There is also a challenge in relation to obtaining enough evidence in order to secure a conviction. Investigations are often lengthy, complex and require officers with specialist skills -- which are in high demand.
That said, UK policing has been very successful in disrupting cybercriminals and continues to develop its capability by working in partnership with others across government, the private sector and academia both here and overseas under the new National Cyber Strategy.
BN: What can be done to help people report cybercrimes and make it easier to get justice?
SN: A lot of work has been done recently to improve the process for reporting a cybercrime through Action Fraud. It is now much more intuitive, user-friendly, and quicker -- which is definitely a step in the right direction that should make it easier for individuals and businesses to report cybercrime.
I also think there's a lot more we can do from a wider public policy perspective by being more proactive in raising awareness about the importance of reporting cyber-crime and the different ways in which you can do it. For example, how many businesses know about the 'Report Phishing' add-in you can install if you have a business or corporate version of Microsoft 365? Or the NCSC's Suspicious Email Reporting Service (SERS) at [email protected]? Or that you can forward phishing text messages to 7726?
In terms of making it easier for victims to get justice, the key for me is collaboration. Tackling cyber-crime effectively requires a fully joined-up approach across the whole of the criminal justice system in the UK and internationally.
However, we must not lose sight of the importance of ensuring that victims get the support they need following an attack. That's where the Cyber Resilience Centres can help them by reducing the vulnerability of small businesses to the most common types of cybercrime and giving them the tools to prevent them from becoming repeat victims.
BN: Can you explain the rising trend towards 'script kiddies'?
SN: Script kiddies are basically individuals who carry out cyberattacks using other people's code because they lack the skills or experience to develop their own. They have been behind some of the most well-known cyberattacks in the UK, including the one against Talk Talk in 2015. The term 'kiddie' is generally used to denote their inexperience rather than their age, although many of them tend to be teenagers.
It is worth noting that not all script kiddies have malicious intentions -- some of them aren't even aware that they are committing a serious offense but do it for bragging rights or to show off to their friends. However, they are just as dangerous as more experienced cyberattackers.
The rise in the number of attacks carried out by script kiddies is primarily down to the accessibility and affordability of hacking tools on the internet. Many of these tools can be found easily in online forums where they can find detailed instructions about how to deploy them. Script kiddies are also increasingly being used by organized crime gangs to carry out attacks against specific targets.
BN: How can society tackle this issue and what programs and initiatives are in place to stop this activity?
SN: We've seen children as young as nine committing some very serious offenses so programs and initiatives that seek to divert young people away from cybercrime form an incredibly important part of the wider response to the problem.
In the UK, the average age of a referral to the National Cyber Crime Unit is just 15 years old. The Cyber Choices program, co-ordinated by the National Crime Agency, was created to help young people make better informed choices in their use of technology while encouraging them to use their cyber skills in a legal way. It helps explain the difference between legal and illegal cyber activity, increases awareness of relevant legislation and promotes positive cyber opportunities.
At a technical level, law enforcement agencies work hard to take down websites and online forums that promote hacking. Earlier this year, a multi-national operation involving agencies from the UK, US and four other countries worked together in taking action to close down the online hacking site 'RaidForums'.
At a societal level, it is essential that parents/guardians take an active interest in what their children are doing online. For example the Cyber Choices website has some great resources for families.
Photo Credit: Mila Atkovska/Shutterstock