weerapat1003 - stock.adobe.com
Youths that are convicted for cyber crimes are being put to work with IT departments in the private sector as alternative punishment to imprisonment, as part of a programme in the Netherlands.
The Hack_Right programme is aimed at rehabilitation and education, and is a collaboration between Dutch police and public prosecutors, designed specifically to handle cases with young and sometimes naive hackers.
Other partners in the project are Child Protective Services, and Bureau Halt which gives under-18 criminals alternative punishment, usually in the form of community service. Youngsters convicted through Bureau Halt will have no permanent criminal record that could otherwise greatly hinder them later in life.
It’s in this programme that Hack_Right found its inspiration. Rather than cracking down hard on young criminals, authorities first try to re-educate them and give them meaningful insight into their actions without compromising their futures. This reduces the risk of reoffending, and it helps youngsters develop and then utilise their IT talents in later life.
About 70 young cyber criminals come into contact with prosecutors every year, mostly for small crimes and misdemeanors. In many cases, the young criminals aren’t even aware what they’re doing is illegal. They hack into their school systems to change their grades, or simply to just have a look around.
“Something as simple as obtaining your teacher’s password and logging into the school network is a form of cyber crime,” said Martijn Egberts, a public prosecutor.
According to the programme managers, the young hackers usually don’t properly foresee the consequences of their actions. Hacks can cost companies a lot of money, even if it’s just to notify customers of a breach. There lies the base of the programme.
“We saw a growing problem with young people that can do a serious amount of damage in a relatively easy way,” said Floor Jansen, one of the programme managers. “They usually don’t realise the scope of their damage to the victims.”
Read more about young hackers
- “Fan” who broke into Apple’s mainframe from his home in Melbourne has avoided prison because the information he gathered was recovered.
- An initiative in Rotterdam is helping young people get into the IT sector by targeting those overlooked by traditional methods.
There are many examples of such occasions. Last year, an 18-year-old took down large Dutch institutions including the Dutch Tax Authority and several banks. He used a simple webstresser that was purchased online.
Jansen knows more examples, like when someone hacked into a large service provider to watch free movies. After a little prodding in the network, he would’ve been able to take down a large part of the Dutch telephone and internet traffic. When the police made the arrest, they didn’t find a sophisticated group of expert hackers, but a kid.
“Cyber crime prosecutors struggle with such cases,” said Jansen. “They don’t know what intervention fits best for these culprits. They did something wrong, but they’re still young and often differ from most traditional perpetrators.”
Hack_Right isn’t always applicable. In fact, there are a few strict criteria for youngsters to be admitted into the programme. Besides being in an age range between 12 and 23, hackers can only participate if they confess. They should also be willing to develop themselves in a positive way.
“Hack_Right consists of four modules you can view as four pieces of a puzzle,” said prosecutor Egberts. “Every module adds to a change in behaviour of youngsters.”
The first module is recovery, which means the convicts are confronted with their actions. In some cases, they’ll meet their victims so they get a first-hand account of what they did wrong.
The second step focuses on teaching where legal boundaries lie in the online domain. “Everybody knows tossing a brick through a window is illegal,” he said. “But online, those borders are much more unclear.”
In the third step of the programme, the hackers are taught about legal alternatives for their skills, such as ethical hacking through hackerspaces. Those places are often good starting points to have prosperous careers in cyber security.
“Those possibilities are usually completely unknown to most hackers,” said Egberts. In the last phase, the youths are coached into finding such careers.
In most cases, the police and other public authorities take on the first two modules. In the latter two, private companies hitch on. Several companies such as Deloitte have made themselves available and police are looking for more partnerships.
Increasing the number of charges
Part of what the programme wants to achieve is convincing victimised companies to increase their willingness to press charges. “We see small companies or schools don’t always press charges because they don’t want to ruin young people’s lives by giving them a criminal record,” said Lisanne van Dijk, policy adviser with the Dutch national police.
More charges aren’t just good for the public record. It can help youngsters as well. “When kids aren’t caught at a young age, they move on to more serious crimes which are even more destructive and expensive. Then they’re even further from home.”
This is especially prevalent in cyber crime. The Netherlands has a wide-ranging network of social workers and neighbourhood policemen who try to counsel young people and steer them away from criminal activities.
But youngsters who commit cyber crimes are a lot more invisible, both to authorities as well as to their parents. “When companies press charges, it becomes easier to spot them in an early stage,” said Van Dijk.
Cooperation is vital
Hack_Right isn’t for everyone. The police want to maximise how many youths can be adjusted in the process and is as a result selective. Possible candidates for the programme are judged on their age, but also on their willingness to voluntarily cooperate. “It doesn’t work if the youngsters don’t want to cooperate,” she said.
In that case, normal trial procedures are applied. Standard community service, fines or even prison time become options. However, Hack_Right isn’t simply an alternative punishment that youths can choose instead of prison. In some cases, prosecutors can choose a combination of both.
Hack_Right started several months ago and should finish in a few weeks. It’s been a pilot program which will be evaluated soon.
Read more on Endpoint security
Germany: European Court of Justice hears arguments on lawfulness of EncroChat cryptophone evidence
A tenth of kids claim they could hack you
Dutch lawyers raise human rights concerns over hacked cryptophone data
Italian Supreme Court calls for prosecutors to disclose information on Sky ECC hacking operation