Average convicted British computer criminal is young, male, not highly skilled, researcher finds An academic researcher has analysed more than 100 Computer Misuse Act cases to paint a picture of the sort of computer-enabled criminals who not only plagued Great Britain’s digital doings in the 21st Century but were also caught by the plod. The average Computer Misuse Act convict is likely to be a semi- or low-skilled …
"Nonetheless, the median criminal computer abuser is “young and male, with mental health and development disorders over-represented in their number,” the researcher concluded."
Can we really "abuse" a computer ?
The information concerns only those that got caught, can we therefore infer that the median abuser that got away is perfectly formed sane old women ?
Link: https://www.theguardian.com/uk-news/2018/sep/21/british-spies-hacked-into-belgacom-on-ministers-orders-claims-report
*
Oh.....I get it....hacking by residents of Cheltenham IS NOT A CRIME! Silly me!!!
*
Then there's the convenient legal arrangement with the USA -- US citizens get to hack Brits, and Brits get to hack US citizens -- AND NO ONE BREAKS THE LAW!
*
We need some better reporting.....about the CORPORATE hacking that is the REAL problem.
Belgacom hack reporting: https://www.theregister.com/2018/10/26/belgium_finds_evidence_gchq_belgacom_hack_proximus/
If it HELPS we can randomly insert WORDS ..... in BLOCK capitals......... and hold DOWN THE period KEY..... and dribble ON the KEYBOARD!
Tedious dullard.
"sort of computer-enabled criminals who plague Great Britain’s digital doings in the 21st Century." WRONG!
"sort of computer-enabled criminals who WERE CAUGHT plaguing Great Britain’s digital doings in the 21st Century." RIGHT!
This is an analysis of the failures - the ones Plod can catch.
We can assume the ones they haven't caught are brighter, better educated or better organised... or all those things.
Mind you, I'm a real Researcher, not an "academic researcher", whatever the fsck that is.
'...an "academic researcher", whatever the fsck that is.'
An academic researcher is an academic (works in a university or college - typically as a professor/tutor but may be a PhD student) who does research.
It took me less than five minutes to find that using Google and I'm not a Researcher - real or otherwise - at all.
This is the only example of a a boomerang researcher that I know of & I think he's pretty far from the campus.
https://www.youtube.com/watch?v=qH5rC1NJ-54
Icon - God I'm old, I remember the night that video played out over the course of the entire night in every ad break before the reveal of what the fuck it was advertising right at the end (Which was then repeated several times for those that had missed the conclusion & I had to explain it to my dad who just got in from the pub when he saw it).
“The low skill category is largely made up of ex-IT employees who used their knowledge of the systems that they used to operate in order to damage their previous employers,”
“the median criminal computer abuser is “young and male, with mental health and development disorders over-represented in their number,”
"On the flip side, British police forces have been rather good at diverting young computer-enabled criminals into activities that harness their talents for positive things, such as working in the IT industry"
So... let me get this straight... median user used to be an IT drone, got thoroughly depressed, decided to try and get rich quick by fleecing their former employer, and the solution is to find them more work as an IT drone?
"median user used to be an IT drone, got thoroughly depressed, decided to try and get rich quick by fleecing their former employer, and the solution is to find them more work as an IT drone?"
And, of course, "failed to hold down their original IT job" fits in there somewhere.
Mental health issues don't necessarily mean 'depressed'.
Think of it another way: Young men with mental health and development disorders lack the support needed to fit into society and hold down a job.
Which might help explain this statistic, along with several other justice system and prison statistics, homelessness rates and suicide rates.
I assume the article refers to hackers not sponsored by a Hostile State or organised crime of some form, but just people who individually 'hacked' into some computers for nefarious purposes.
Certainly the people who used perfectly understood means to create electronic accounts in my name and then transfer money from my savings accounts with passbook and signature only access, so that they could then empty the Internet account*, were competent, but does that count as hacking under the investigation? They were well-organised and criminal so I'd tag them as 'organised crime'. BTW, no-one is actually looking for these people. Action Fraud aren't interested as 'I have not been the victim of a crime' (I got the money back), and according to them 'identity theft' is not a crime**.
*(They 'only' got about £45k, which I got back from the building society.)
**(Yes, I know this is a contentious issue, but I've been informed of this by both ActionFraud and Thames Valley Police, and am a bit p***ed off by having to repeat it. You can legally call yourself by any name you choose in the UK, it is the stealing of money that is illegal, and that, it seems has to be reported by whoever actually loses the money.)
This research only covers people convicted under the Computer Misuse Act. As stated, people who commit larger crimes will likely be charged and convicted under something else, like the laws against theft, because they are easier to use in court and lead to more definite sentences. It also only includes those people who operated on a large-enough scale to get the attention of the police, who didn't do enough to cover their tracks, and who didn't do so much that the really determined and skilled investigators got brought in.
The article points out that these caught criminals mostly got the experience they needed to commit the crimes from once having legit jobs in the IT workplace. If there are few women in the IT workplace, women won't be getting the skills, however rudimentary, that they would need to embark on a life of computer crime.
If you start with a list of people who have been caught (because, sensibly, there isn't really any other list available), then you have to allow in your conclusions that they cannot have been very bright or competent to start with.
I have seen the *cough* IT "competence" *cough* of the police and those they subcontract to up close and I have as yet to be impressed. It's a good thing for the police that some convictions lend such an amount of taint that it's costly to go against them, but justice it ain't.
Let's face it, it's not that hard to find the right mix of useful tools and poorly protected systems and with everything connected online by default you have nice melting pot with a lot of low hanging fruit to pick off.
The reason unskilled people are able to do this is because those with the skills are making good money on good and bad side of the fence and enjoy the really hard challenges. Knocking off a poorly patched webserver to hook a few people and snag a some PayPal accounts is not rocket science, given the time and patience most of us could do it relatively easily if we tried. The smart people are out there taking on harder challenges leaving the drones to pick up that low hanging fruit of people who still use "password12345" as the primary password on 58 websites!
After leaving uni many years ago, I was unemployed for a while. The benefits people made me apply for a temporary filing job, *with the very same benefits department*
During the interview, the interviewer said I was far too qualified for the job, and couldn't understand why I'd want it, as I'd just be bored out of my mind.
Thinking this was a trap to stop my dole money (it turned out not to be - the department didn't know the same department had sent me for a job in their department!) I did my best to convince her I was perfect for the job.
It got to the point where I even said "I have a good ability to switch off when doing mindnumbingly boring work, so I don't get bored"....
Needless to say, I didn't get the job.
Two points worth considering:
[1] these are the ones not smart enough to avoid detection and prosecution
[2] given the general poor resilience of the attacked, no significant skills are usually necessary.
A common and well established error among academic criminologists is to draw their research samples from the prison population. This inevitably biases their research towards representing the professional failures. The successful remain below the radar and therefore never get researched.
.. among people who comment on the internet is that they think that they can (a) spot really obvious things that - somehow - have never, ever occurred to those with relevant expertise; and, further, they think (b) that even if those experts had spotted the obvious thing, they would not ever think of understanding their work with that in mind.
Of course in the "criminals" context, it tends to be quite hard to study the behaviours of people that you cannot find, cannot catch, and who would rather avoid attention or examination of any kind. So sometimes you just have to work within the data you can get; and understand the results in full knowledge of that.
All the decent ones have surely been tagged, recruited by GCHQ, MI5 or MI6 (or whatever they are being called these days), and given blanket pardons from any previous criminal acts, as long as they continue to work for the "good guys" in the gov't....
I work in the education field - test results, etc. We give access to teachers and administrators. But recently, we give access to students. I point out possible issues and suggest that student access be completely separated from other users - different servers, different database, etc. I'm told not to worry - our students are not that clever, etc. Right, I think. The average student may not be that clever, but there are more of them than us. It takes only one clever bugger.
Hah with my students I *really* don't need to worry ;)
(Anonymous because I don't want to hurt their feelings. They *do* try their hardest.)
Our biggest threat at the moment is the very poorly implemented "web tech" that holds up the VLE and student accounts database along with Microsoft's terrible services. This really does open us up to opportunistic attacks from anyone running a script.
"I'm told not to worry - our students are not that clever, etc."
I suggest you keep hard copy of that correspondence. You're likely to need it
Back in the 1990s I was told that by a high school when I said it was only a matter of time before they got hacked by the students - and if they were lucky said students would ONLY change their exam grades
I was an external consultant and as a result was told my services were no longer required. It was less than 2 years later before the inevitable happened and a bunch of private information got out. The fact that they'd been warned meant their liability insurers voided their policy, so it got quite expensive for the administrator concerned (who had overridden everyone else one summer holiday when sleazy salespeople had shown up with a slick sales job, resulting in staff returning to a done deal)
As many have noted above criminals are not noted for their skills and while computer crime requires more skill than a 'smash-n-grab' often it is done by script kiddies or the like. Also, how many reported computer crimes are solved which would give a more interesting number. I suspect many computer crimes go unreported which also skews the statistics. Also, how many of the 'computer crimes' are prosecuted under other relevant statutes; fraud was noted in the post.
Considering this report was compiled by a university researcher who pulled a good deal of his data from El Reg, it sounds like a days worth of serious work and a bit of polishing (possibly), the sample size is small enough to not really mean a great deal, particularly as it focussed on only those cases linked to the CMA Act. More detailed research to pulled out all cases involving computer related crimes over a similar period may paint a completely different picture.
as pointed out by the majority of posts above, the value of the research as a profile of likely offenders will mostly show the profile of the least successful offenders, so not all that valuable.
Having been an El Reg reader since its inception and spent at least as many years chasing various miscreants across networks who never got anywhere near court, I'd say fewer than 0.1% ever get anywhere near police, let alone a court.
For the most part the Plod simply don't want to know, even when it's dropped giftwrapped into their lap, unless "someone influential" puts a flea in their ear
What's really surprised me over the years is how few cases have resulted in victims taking matters into their own hands. Many of the most destructive/malicious skiddies haven't exactly been low profile
We should take into account that people with good skills in the U.K. can find a good well paid job that makes risks associated with crimes not that attractive.
Which is why “foreign agent” hackers are the ones that are better qualified - the risks to be caught are lower if you are based in a country where the government supports your hacking and market salaries in those countries are not necessary that high.
Considering that most of the "top" cyber security professionals are individuals recruited following being caught-red handed breaking into things; clamping down on people breaking into low level stuff is not conducive to developing the skills needed.
Breaking into something without a pre-made script requires time, patience, investigative skills and a lot of error. For the average Brit trying to pay the rent you're probably too busy working all the hours that you can at McSlop to have the time to put the investigative hat on to learn how to really break into stuff.
Classroom teaching of cyber sec too often ends up an exercise in teaching best practise for passwords and network design. Relevant, but not the skills you "need" to develop to be an effective attacker. And by being an effective attacker, you become by default an skilled defender, because you know what the opposition are looking for.
Red/Blue team exercises are probably the closest to "real" attack and defence skills development anyone can ever create. The last I checked, the number of outfits that teach those skills or have facilities for it are pretty small.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
