I was at a conference recently and the topic came up of the average of the current cyber criminal. now whist there was not any empirical evidence presented it does appear that the age of the average criminal online is significantly lower than in the real world. This has something todo with the leveller that the Internet represents ie when you are online it doesn’t matter who you are physically you can be anyone. Thus whilst in the real world, physical size, presence and intelligence can be advantageous for a life of crime. In cyberspace it really doesn’t matter.
This then brings me on to the generation gap. Look at many security conferences and what do you see ? well the youngest person in the room may be in their mid to late 20′s with a huge amount in their 40′s and 50′s. The issue is that these people will ( and do) find it difficult to understand what motivates young people.
Take the recent Anonymous issues, a lot of the middle aged infosec people think they understand ( though may not agree) with the rebels with a cause mentality being that they lived through the 70′s and 80′s however in a recent talk by Mikko Hypponen of FSecure he related a story of a 12 year old who hacked a major website “because he was bored”. This completely threw both myself and most of the audience, how could a kid deface a website, commit a serious criminal offense all in the name of boredom ? well for most people over 25 the internet is something that was created in your adult life. The consequences of hacking were clearly laid out in the news and media ( remember Hackers or Wargames ) however I rather suspect that “the youth of today” ( wow I sound old) having grown up with the technology and to them it is a ubiquitous as electricity.
Now lets look at the serious issue that this poses. When cybercrime was all about money ( and it will get back to being all about money mark my words) people think that they understood it. If you followed the money trail there would at some point be a criminal with a smoking gun waiting to be arrested. For a really good story of exactly this I can heartily recommend the book Kingpin by Kevin Poulsen, a classic tale of following the money and a very traditional attacker. Now the motive may be one that due to the generation gap the investigator will never understand.
So what is the solution ? well this one is not as easy as just hiring younger people ( though it will help). It is about learning about how your attacker thinks, what motivates them, how they communicate. This last point is particularly poignant. During the recent London riots, many people were surprised that Blackberries were being used by so many of the rioters. It turns out that far from there being an Iphone Generation, a lot of the younger people today are using Blackberry Messenger as it is free and can send to multiple people at once. Again something that blindsided a lot of people.
What else needs to change ? well as I have said before – education education and more education. Digital citizenship needs to be taught in schools. Not just how to use a computer, but how to act, the consequences of your actions and the fact that cybercrime is real crime.
So to conclude, talk to your kids, talk to your friends kids. What do they use ? what tech do they like ? What sites do they like to hang out on ? forget about generation Z at your peril as that is were the attackers of today and tomorrow are already present.