back to article Average convicted British computer criminal is young, male, not highly skilled, researcher finds

An academic researcher has analysed more than 100 Computer Misuse Act cases to paint a picture of the sort of computer-enabled criminals who not only plagued Great Britain’s digital doings in the 21st Century but were also caught by the plod. The average Computer Misuse Act convict is likely to be a semi- or low-skilled …

  1. Prst. V.Jeltz Silver badge
    Headmaster

    give it 24 hours , then count the density of the string 'script kiddie' in the comments

    1. Alpine Hermit
      Mushroom

      Equal Opportunities?

      No, I'm much more concerned about the lack of equal opportunities available in the hacking industry:

      "Males made up a whopping 97 per cent of perps"

      It's about time that schools opened up these career opportunities to female and trans hackers.

      1. SsiethAnabuki

        Re: Equal Opportunities?

        It could, of course, be that the demographics of "computer criminals" do not mirror the demographics of those caught and prosecuted.

    2. Kane Silver badge
      Joke

      "give it 24 hours , then count the density of the string 'script kiddie' in the comments"

      I can probably find a script somewhere online that could do that...

      ACTIVATE THE LOW ORBIT ION CANNON!!111!11!!!

    3. Citizen99

      Then read them some of your poetry?

      1. Alan Brown Silver badge

        "lyshus fripping wimbgunts"

    4. Cederic Silver badge

      Would 'script kiddie' approaches be deemed 'low skill'?

      Misusing known credentials is rather different to researching, acquiring and deploying prebuilt attacks, even if the person deploying them would not be able to create them from scratch.

  2. Khaptain Silver badge

    "Nonetheless, the median criminal computer abuser is “young and male, with mental health and development disorders over-represented in their number,” the researcher concluded."

    Can we really "abuse" a computer ?

    The information concerns only those that got caught, can we therefore infer that the median abuser that got away is perfectly formed sane old women ?

    1. chivo243 Silver badge
      Go

      Can we really "abuse" a computer ?

      you must not work with users.... I wish we could post pics here. It is the 21st century? No? Hint to El Reg...

    2. LDS Silver badge
      Joke

      We have to jail more women!

      To keep the gender balance!

    3. Paul Herber Silver badge
      Trollface

      Some people might say that the median computer programmer is “young and male, with mental health and development disorders over-represented in their number"

      1. Blazde Silver badge

        Isn't the median criminal 'young and male, with mental health and development disorders over-represented in their number' too? It's nice to have data but I don't feel we've learnt anything here.

  3. Flexdream

    They're the ones who get caught and convicted.

    1. Doctor Syntax Silver badge

      Which in turn means they were in reach of the UK police and courts.

    2. John Robson Silver badge

      It's like adding armour to planes based on the bullet holes of the survivors...

      It's clearly places *other* than where you see bullet holes that the planes are vulnerable.

  4. Anonymous Coward
    Anonymous Coward

    What about........

    Link: https://www.theguardian.com/uk-news/2018/sep/21/british-spies-hacked-into-belgacom-on-ministers-orders-claims-report

    *

    Oh.....I get it....hacking by residents of Cheltenham IS NOT A CRIME! Silly me!!!

    *

    Then there's the convenient legal arrangement with the USA -- US citizens get to hack Brits, and Brits get to hack US citizens -- AND NO ONE BREAKS THE LAW!

    *

    We need some better reporting.....about the CORPORATE hacking that is the REAL problem.

    1. gazthejourno (Written by Reg staff)

      Re: What about........

      Belgacom hack reporting: https://www.theregister.com/2018/10/26/belgium_finds_evidence_gchq_belgacom_hack_proximus/

      If it HELPS we can randomly insert WORDS ..... in BLOCK capitals......... and hold DOWN THE period KEY..... and dribble ON the KEYBOARD!

      Tedious dullard.

      1. Anonymous Coward
        Anonymous Coward

        Re: What about........

        Sometimes I wish I had more upvotes. Like in this case.

      2. TimMaher Silver badge
        Trollface

        Re: What about........

        Could have been Bombastic Bob. Working under cover.

        1. Arthur the cat Silver badge

          Re: What about........

          Not enough capital letters.

          1. The Oncoming Scorn Silver badge
            Paris Hilton

            Re: What about........ Dribble On The Keyboard.

            That's about 96% of supported users in my experience & very very lucky if it's just saliva on the keyboard.

      3. Korev Silver badge
        Gimp

        Re: What about........

        >Tedious dullard.

        Has Sir been trained by the Moderatrix?

        More of this please.

  5. Allan George Dyer
    Holmes

    "Average caught British computer criminal is young, male and not highly skilled" - FTFY

    Maybe there is a correlation with the average skill level of the British Police in these matters?

    1. theModge

      Maybe there is a correlation with the average skill level of the British Police in these matters?

      I've always believed (and felt it to be a commonly held belief) that the police only catch the least competent criminals as it is, there's no reason why using a computer should change that.

      1. Dave314159ggggdffsdds Silver badge

        "the police only catch the least competent criminals"

        Sometimes they catch more competent crims who are just plain unlucky.

        Mostly, they catch black people and then find something to pin on them.

        1. Rich 11 Silver badge

          ...the ones that survive the fall down the custody suite stairs.

          1. The Oncoming Scorn Silver badge
            Holmes

            Mother Of God (Obligatory Ted From LOD)

            survive the fall up the custody suite stairs.

            FTFY.

          2. Kane Silver badge
            Joke

            "...the ones that survive the fall down the custody suite stairs."

            "But there aren't any stairs to the custody suite!"

            "Stairs can be arranged"

            Paraphrasing here - Jingo, Terry Pratchett

            Pterry Icon El Reg?

  6. Hoddy

    Sampling Bias anyone???

    "sort of computer-enabled criminals who plague Great Britain’s digital doings in the 21st Century." WRONG!

    "sort of computer-enabled criminals who WERE CAUGHT plaguing Great Britain’s digital doings in the 21st Century." RIGHT!

    This is an analysis of the failures - the ones Plod can catch.

    We can assume the ones they haven't caught are brighter, better educated or better organised... or all those things.

    Mind you, I'm a real Researcher, not an "academic researcher", whatever the fsck that is.

    1. A Non e-mouse Silver badge

      Re: Sampling Bias anyone???

      Survivor Bias

      1. Red Ted Silver badge
        Go

        Re: Sampling Bias anyone???

        Hmm, so should I be hiring female hackers?

        1. Snowy
          Coat

          Re: Sampling Bias anyone???

          Older female hackers :)

          1. Paul Herber Silver badge

            Re: Sampling Bias anyone???

            What about the non-binary computer hackers? Can an analog computer be hacked? Sample-and-hold-and-hold-and-hold ...

    2. RuffianXion
      Boffin

      Re: Sampling Bias anyone???

      '...an "academic researcher", whatever the fsck that is.'

      An academic researcher is an academic (works in a university or college - typically as a professor/tutor but may be a PhD student) who does research.

      It took me less than five minutes to find that using Google and I'm not a Researcher - real or otherwise - at all.

      1. Brewster's Angle Grinder Silver badge
        Coat

        Operator precedence

        A genomics researcher is someone who researches how our genes affect us, and a boomerang researcher is someone who researches how boomerangs hit us, so surely an academic researcher is someone who researches academics?

        1. The Oncoming Scorn Silver badge
          Pint

          Re: Operator precedence

          This is the only example of a a boomerang researcher that I know of & I think he's pretty far from the campus.

          https://www.youtube.com/watch?v=qH5rC1NJ-54

          Icon - God I'm old, I remember the night that video played out over the course of the entire night in every ad break before the reveal of what the fuck it was advertising right at the end (Which was then repeated several times for those that had missed the conclusion & I had to explain it to my dad who just got in from the pub when he saw it).

          1. Brewster's Angle Grinder Silver badge

            Re: Operator precedence

            #problematic: stereotyping indigenous wildlife as a booze cabinet. #NotAllKangaroos are addicts. And those that are have better taste than Heineken.

    3. werdsmith Silver badge

      Re: Sampling Bias anyone???

      Young, male and not highly skilled....

      Hey, that's me!!

      OK, well two out of three is most of it, right?

  7. Clive Galway
    Facepalm

    Rinse, repeat?

    “The low skill category is largely made up of ex-IT employees who used their knowledge of the systems that they used to operate in order to damage their previous employers,”

    “the median criminal computer abuser is “young and male, with mental health and development disorders over-represented in their number,”

    "On the flip side, British police forces have been rather good at diverting young computer-enabled criminals into activities that harness their talents for positive things, such as working in the IT industry"

    So... let me get this straight... median user used to be an IT drone, got thoroughly depressed, decided to try and get rich quick by fleecing their former employer, and the solution is to find them more work as an IT drone?

    1. Doctor Syntax Silver badge

      Re: Rinse, repeat?

      "median user used to be an IT drone, got thoroughly depressed, decided to try and get rich quick by fleecing their former employer, and the solution is to find them more work as an IT drone?"

      And, of course, "failed to hold down their original IT job" fits in there somewhere.

    2. Rich 11 Silver badge

      Re: Rinse, repeat?

      It's recidivism dressed as rehabilitation. But it'll look good on a league table somewhere.

      1. Gene Cash Silver badge

        Re: Rinse, repeat?

        It's better than the US does, which is "throw away the key"

    3. Cederic Silver badge

      Re: Rinse, repeat?

      Mental health issues don't necessarily mean 'depressed'.

      Think of it another way: Young men with mental health and development disorders lack the support needed to fit into society and hold down a job.

      Which might help explain this statistic, along with several other justice system and prison statistics, homelessness rates and suicide rates.

  8. Eclectic Man Silver badge
    Unhappy

    State sponsorship and Organised Criminals?

    I assume the article refers to hackers not sponsored by a Hostile State or organised crime of some form, but just people who individually 'hacked' into some computers for nefarious purposes.

    Certainly the people who used perfectly understood means to create electronic accounts in my name and then transfer money from my savings accounts with passbook and signature only access, so that they could then empty the Internet account*, were competent, but does that count as hacking under the investigation? They were well-organised and criminal so I'd tag them as 'organised crime'. BTW, no-one is actually looking for these people. Action Fraud aren't interested as 'I have not been the victim of a crime' (I got the money back), and according to them 'identity theft' is not a crime**.

    *(They 'only' got about £45k, which I got back from the building society.)

    **(Yes, I know this is a contentious issue, but I've been informed of this by both ActionFraud and Thames Valley Police, and am a bit p***ed off by having to repeat it. You can legally call yourself by any name you choose in the UK, it is the stealing of money that is illegal, and that, it seems has to be reported by whoever actually loses the money.)

    1. doublelayer Silver badge

      Re: State sponsorship and Organised Criminals?

      This research only covers people convicted under the Computer Misuse Act. As stated, people who commit larger crimes will likely be charged and convicted under something else, like the laws against theft, because they are easier to use in court and lead to more definite sentences. It also only includes those people who operated on a large-enough scale to get the attention of the police, who didn't do enough to cover their tracks, and who didn't do so much that the really determined and skilled investigators got brought in.

  9. Anonymous Coward
    Anonymous Coward

    Weirdly this is an almost unbiased view on the male / female ratio in the IT workplace.

    For example, there are no sexist "hiring processes" for the criminal IT industry and yet females still don't seem to have much of a proportion.

    1. Anonymous Coward
      Anonymous Coward

      ... there are no sexist "hiring processes" for the criminal IT industry ...

      That's an interesting piece of intuition.

    2. Dr. G. Freeman

      They're low in the proportion that get caught.

      Therefore, female hackers are the better ones.

    3. Postscript
      IT Angle

      on the job experience

      The article points out that these caught criminals mostly got the experience they needed to commit the crimes from once having legit jobs in the IT workplace. If there are few women in the IT workplace, women won't be getting the skills, however rudimentary, that they would need to embark on a life of computer crime.

      1. Anonymous Coward
        Anonymous Coward

        Re: on the job experience

        I thought the article suggested they were "unskilled".

        1. Falmari Silver badge

          Re: on the job experience

          It did but is also stated this

          “The low skill category is largely made up of ex-IT employees who used their knowledge of the systems that they used to operate in order to damage their previous employers,”

          1. Alan Brown Silver badge

            Re: on the job experience

            IOW: "revenge hacking" - and pretty easily fingered

  10. Boris the Cockroach Silver badge
    Holmes

    Not much new here then

    since the low skilled seem to dominate in the rest of the criminal professions too.

    I'm just surprised the plod managed to catch anyone involved in computery crimes.... and even more surprised the criminal protection squad decided to take them to court....

  11. Peter Sommer
    Megaphone

    More thorough analysis available

    A rather more thorough review of the Computer Misuse Act and related prosecutions appears in: http://www.clrnn.co.uk/publications-reports/ from the Criminal Law Reform Now Network. (I was one of the co-authors)

  12. Anonymous Coward
    Anonymous Coward

    Sampling problem: that's only the people that got caught

    If you start with a list of people who have been caught (because, sensibly, there isn't really any other list available), then you have to allow in your conclusions that they cannot have been very bright or competent to start with.

    I have seen the *cough* IT "competence" *cough* of the police and those they subcontract to up close and I have as yet to be impressed. It's a good thing for the police that some convictions lend such an amount of taint that it's costly to go against them, but justice it ain't.

    1. MrMerrymaker Silver badge

      Re: Sampling problem: that's only the people that got caught

      More deets PLz

  13. Plest Bronze badge
    Facepalm

    Skilled people are doing harder things

    Let's face it, it's not that hard to find the right mix of useful tools and poorly protected systems and with everything connected online by default you have nice melting pot with a lot of low hanging fruit to pick off.

    The reason unskilled people are able to do this is because those with the skills are making good money on good and bad side of the fence and enjoy the really hard challenges. Knocking off a poorly patched webserver to hook a few people and snag a some PayPal accounts is not rocket science, given the time and patience most of us could do it relatively easily if we tried. The smart people are out there taking on harder challenges leaving the drones to pick up that low hanging fruit of people who still use "password12345" as the primary password on 58 websites!

  14. Anonymous Coward
    Anonymous Coward

    young, male and not highly skilled

    sounds like a great job advert to put in jobcentre shop window...

    1. Anonymous Coward
      Anonymous Coward

      Re: young, male and not highly skilled

      After leaving uni many years ago, I was unemployed for a while. The benefits people made me apply for a temporary filing job, *with the very same benefits department*

      During the interview, the interviewer said I was far too qualified for the job, and couldn't understand why I'd want it, as I'd just be bored out of my mind.

      Thinking this was a trap to stop my dole money (it turned out not to be - the department didn't know the same department had sent me for a job in their department!) I did my best to convince her I was perfect for the job.

      It got to the point where I even said "I have a good ability to switch off when doing mindnumbingly boring work, so I don't get bored"....

      Needless to say, I didn't get the job.

  15. Mike 137 Silver badge

    "average Computer Misuse Act convict is likely to be a semi- or low-skilled individual"

    Two points worth considering:

    [1] these are the ones not smart enough to avoid detection and prosecution

    [2] given the general poor resilience of the attacked, no significant skills are usually necessary.

    A common and well established error among academic criminologists is to draw their research samples from the prison population. This inevitably biases their research towards representing the professional failures. The successful remain below the radar and therefore never get researched.

    1. Anonymous Coward
      Anonymous Coward

      Re: A common and well established error ...

      .. among people who comment on the internet is that they think that they can (a) spot really obvious things that - somehow - have never, ever occurred to those with relevant expertise; and, further, they think (b) that even if those experts had spotted the obvious thing, they would not ever think of understanding their work with that in mind.

      Of course in the "criminals" context, it tends to be quite hard to study the behaviours of people that you cannot find, cannot catch, and who would rather avoid attention or examination of any kind. So sometimes you just have to work within the data you can get; and understand the results in full knowledge of that.

  16. esherrill

    Sounds a bit like the plot for a spy flick, or a season of Spooks...

    All the decent ones have surely been tagged, recruited by GCHQ, MI5 or MI6 (or whatever they are being called these days), and given blanket pardons from any previous criminal acts, as long as they continue to work for the "good guys" in the gov't....

    1. The Oncoming Scorn Silver badge
      Coat

      Re: Sounds a bit like the plot for a spy flick, or a season of Spooks...

      BTW does anyone know what Kerr Avon is doing these days?

      1. Anonymous Coward
        Anonymous Coward

        Re: anyone know what Kerr Avon is doing these days?

        I can't exactly remember the quote (or find it), but I expect something like:

        ... not doing what is right, but doing what is necessary.

  17. albaleo

    It's not the average person we should worry about

    I work in the education field - test results, etc. We give access to teachers and administrators. But recently, we give access to students. I point out possible issues and suggest that student access be completely separated from other users - different servers, different database, etc. I'm told not to worry - our students are not that clever, etc. Right, I think. The average student may not be that clever, but there are more of them than us. It takes only one clever bugger.

    1. Anonymous Coward
      Anonymous Coward

      Re: It's not the average person we should worry about

      Hah with my students I *really* don't need to worry ;)

      (Anonymous because I don't want to hurt their feelings. They *do* try their hardest.)

      Our biggest threat at the moment is the very poorly implemented "web tech" that holds up the VLE and student accounts database along with Microsoft's terrible services. This really does open us up to opportunistic attacks from anyone running a script.

    2. Alan Brown Silver badge

      Re: It's not the average person we should worry about

      "I'm told not to worry - our students are not that clever, etc."

      I suggest you keep hard copy of that correspondence. You're likely to need it

      Back in the 1990s I was told that by a high school when I said it was only a matter of time before they got hacked by the students - and if they were lucky said students would ONLY change their exam grades

      I was an external consultant and as a result was told my services were no longer required. It was less than 2 years later before the inevitable happened and a bunch of private information got out. The fact that they'd been warned meant their liability insurers voided their policy, so it got quite expensive for the administrator concerned (who had overridden everyone else one summer holiday when sleazy salespeople had shown up with a slick sales job, resulting in staff returning to a done deal)

  18. a_yank_lurker Silver badge

    Not Unexpected

    As many have noted above criminals are not noted for their skills and while computer crime requires more skill than a 'smash-n-grab' often it is done by script kiddies or the like. Also, how many reported computer crimes are solved which would give a more interesting number. I suspect many computer crimes go unreported which also skews the statistics. Also, how many of the 'computer crimes' are prosecuted under other relevant statutes; fraud was noted in the post.

    1. Falmari Silver badge
      Happy

      Re: Not Unexpected

      @Prst. V.Jeltz he said script kiddies :)

  19. Anonymous Coward
    Anonymous Coward

    Discriminatory policing..

    Doesn't this actually just prove the police are gender profiling computer abusers?

    Unskilled, mentally ill, male lives matter!

  20. Chris G Silver badge

    Technical Report

    Considering this report was compiled by a university researcher who pulled a good deal of his data from El Reg, it sounds like a days worth of serious work and a bit of polishing (possibly), the sample size is small enough to not really mean a great deal, particularly as it focussed on only those cases linked to the CMA Act. More detailed research to pulled out all cases involving computer related crimes over a similar period may paint a completely different picture.

    as pointed out by the majority of posts above, the value of the research as a profile of likely offenders will mostly show the profile of the least successful offenders, so not all that valuable.

    1. Alan Brown Silver badge

      Re: Technical Report

      Having been an El Reg reader since its inception and spent at least as many years chasing various miscreants across networks who never got anywhere near court, I'd say fewer than 0.1% ever get anywhere near police, let alone a court.

      For the most part the Plod simply don't want to know, even when it's dropped giftwrapped into their lap, unless "someone influential" puts a flea in their ear

      What's really surprised me over the years is how few cases have resulted in victims taking matters into their own hands. Many of the most destructive/malicious skiddies haven't exactly been low profile

  21. Rich 11 Silver badge

    Oh hell...

    Nonetheless, the median criminal computer abuser is “young and male, with mental health and development disorders over-represented in their number,” the researcher concluded.

    This is what starting your career on the Hell Desk does to you.

  22. LordHighFixer

    Correction

    Isn't is supposed to read:

    it seems that most with the mindset to deal with computers started young, and male, with mental health and development disorders over-represented in their number, that lends itself to this type of work.

  23. Claverhouse Silver badge
    Thumb Down

    Rascals

    “The low skill category is largely made up of ex-IT employees who used their knowledge of the systems that they used to operate in order to damage their previous employers,”

    .

    Maybe employers should treat their workers better.

  24. Neoc

    Remember people: if you're not caught, you're not a criminal.

  25. TheMeerkat Bronze badge

    We should take into account that people with good skills in the U.K. can find a good well paid job that makes risks associated with crimes not that attractive.

    Which is why “foreign agent” hackers are the ones that are better qualified - the risks to be caught are lower if you are based in a country where the government supports your hacking and market salaries in those countries are not necessary that high.

  26. Binraider Bronze badge

    Considering that most of the "top" cyber security professionals are individuals recruited following being caught-red handed breaking into things; clamping down on people breaking into low level stuff is not conducive to developing the skills needed.

    Breaking into something without a pre-made script requires time, patience, investigative skills and a lot of error. For the average Brit trying to pay the rent you're probably too busy working all the hours that you can at McSlop to have the time to put the investigative hat on to learn how to really break into stuff.

    Classroom teaching of cyber sec too often ends up an exercise in teaching best practise for passwords and network design. Relevant, but not the skills you "need" to develop to be an effective attacker. And by being an effective attacker, you become by default an skilled defender, because you know what the opposition are looking for.

    Red/Blue team exercises are probably the closest to "real" attack and defence skills development anyone can ever create. The last I checked, the number of outfits that teach those skills or have facilities for it are pretty small.

  27. Juanguanomo
    Holmes

    It would seem to me

    That being less than skilled at such digital chicanery would strongly correlate with the increased likelihood of having your collar felt, would it not?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021