National Cyber Prevent Programme

The UK has a problem. A large number of young people are committing criminal offences which are contrary to the Computer Misuse Act 1990. Estimates vary, but some figures estimate that 1 in 4 teenagers has attempted something which is illegal under that act. We know that the average age of arrest for cyber crime in the UK is just 17 years old – contrasting an average for all other offending of 37 years of age.

There is little space in the curriculum to teach the Computer Misuse Act, but few are telling our young people where the boundaries are. 

Many with talent are not challenged by computing lessons. Cyber security topics rarely feature and if they do they are constrained by time to the basics.

We know that coupled with this is the ready availability of tools and services for committing cyber crime for little to no cost. DDoS for hire is a reality that is here now. They are being educated as to the existence of these services by social media and forums which often portray themselves as legal services for professionals. A simple Google search will reveal a wealth of methods and tools, and YouTube and similar will show how to use them. None of these services flag that DDoS, RATs and hacking kits are quite probably illegal.

A report by CREST with the National Crime Agency also indicated a connection with online gaming… We know that not all online gamers are cyber criminals – far from it! But, we do know when we find the convicted cyber criminal and debrief them, a significant proportion started off by finding out how to cheat at online gaming. The natural pathway is to lose… find out how to cheat and mod the games (not illegal)… still lose… then learn how to ‘boot’ opponents using DDoS services or tools. Unfortunately this often leads to them being engaged in a world where other opportunities present themselves – RATs to steal loot boxes and game content.

At no stage in this process has anyone highlighted the legality of the activity and indeed the ‘sales’ techniques of many of these retailers purport some legality such as ‘stress testing’ a website… This blissfully ignores the reality that the massive bandwidth of a DDoS attack over the internet may have unintended consequences on other users of the same telecoms substations – or even hit the wrong target due to erroneous IP resolution. Law enforcement in the UK can deal practically with those DDoSing a friend over online gaming, but if a hospital, school or an SME that goes bust are the accidental Victim it can have real world consequences no-one ever taught these youngsters to think about.

The crying shame about this is the potential missed opportunity… Cyber security careers are numerous and growing. Reports abound about numbers, but an oft-quoted Global Information Security Workforce Survey suggests a gulf of 1.8 million unfilled jobs in cyber security by 2022. Average salaries in the UK are somewhere around £70,000, with graduate roles starting around £35,000.

It is not all about technical positions. Inspired Careers lists 87 different job roles in cyber security. Many are strategic, educational, response or coordination roles. These suit a diversity of individuals – especially problem solvers – but the industry continues to have an image that everyone sees the matrix and reads binary. Like all STEM subjects, women are massively under-represented despite often having all of the right skills.

There are also lots of different routes in which suit candidates with different ability. Apprenticeships and Degree Apprenticeships are now quite common and offer an alternative to the traditional degree which will not suit everybody. Industry partners we have met have told us that a degree in Computer Science or even Cyber Security specialisms are great – but knowledge may be out of date by the time they qualify and they may not show the practical skills. Industry wants continuing professional development and industry qualifications like Sec+ and OSCP.

There is plenty of anecdotal evidence that young people involved in cyber crime are often somewhere on the autistic spectrum. The National Crime Agency are funding research by Bath University into how true this is and the reasons why. What we do know is that these people will often be more vulnerable, may not succeed in some traditional academic routes but have plenty of talent perfect for these roles.

You – the specialists in educational networks – are in a perfect place to help. You know who in your school or college is consistently triggering alerts, trashing the boundaries and causing you a headache… You have the opportunity to help shape things.

The UK Government knows there is a problem and an obvious solution. The national Cyber Prevent network has been set up in UK Policing to deliver this, led by the National Crime Agency. We can deal practically and sensibly with students you are concerned about. The aim will be diversion rather than criminalisation, provided they are not responsible for the next WannaCry virus. We have access to resources and tools to steer schools and parents – and those involved – in the right direction. We can educate as to the boundaries and then point them towards the opportunity.

Speak with your safeguarding leads. Make them aware of the national Cyber Prevent programme. If there are people you think are heading down the wrong route, get them to make the referral to your nearest Cyber Prevent team and work with us to help them before it is too late.

In the meantime, consider what your organisation is doing and think about:

  • Do you treat pupils breaching school cyber security as a safeguarding issue?
  • How would you respond to a student breaching cyber defences?
  • Are there extra-curricular programmes to support cyber talent?
  • Can you utilise them to improve school cyber security?
  • Bug Bounty: would you pay a bug bounty – such as £20 Amazon vouchers – to a pupil if they report a vulnerability rather than abuse it

Find out more:

We can refer you to your local team if you are not in the South-East.

Andy Rawlinson
Police Cyber Prevent Officer & Cyber Security Advisor