Scheme developed to steer young people away from computer-enabled crime
In late 2017, police and prosecutors noticed a worrying new trend in the number of young people committing cybercrime was rising and decided to act.
The result was a new programme – Hack_Right – which was created to prevent reoffending.
Since its inception, the scheme has developed steadily. Officially still a pilot, the initiative was expanded significantly in November 2019, when 20 companies joined the scheme as partners.
The Dutch public prosecutor reports that each year around 100 young people aged between 12 and 23 are arrested for a cyber-related offence. The true figure could be much higher, however – the authorities estimate it at between 100 and 200 offenders.
All too often, these offenders fail to realize the consequences of cybercrime. At the same time the Dutch believe that standard criminal sentences – such as jail time or fines – do little to prevent re-offending.
Hack_Right is funded as part of a wider scheme to prevent reoffending, ‘Koers en Kansen’, which translates to ‘courses and chances’.
The scheme’s other partners include Halt, a juvenile crime agency, the probation service, and the Child Care and Protection Board.
So far, 10 young people have joined the programme each year. Although that might not sound many, the Hack_Right scheme is tailored to each offender.
Each person joining the scheme is given their own “assignments” to complete.
“The assignments that need to be done and the material that was taught by IT companies and the criminal justice partners was made from scratch and designed to meet the goals of Hack_Right,” Floor Jansen, of the Dutch National Police High Tech Crime Team and Hack_Right founder, told The Daily Swig over email.
Adding more partners to the programme – especially those from industry – should allow Hack_Right to create more tailored assignments and potentially increase its capacity.
“Although lots of materials could be re-used in new cases, a great part of the Hack_Right assignments had to be tailor made per case,” said Ms Jansen.
The group is now developing a manual for the scheme, which will allow more reuse of the training modules. This should be ready by September.
Private sector partners provide tutors and role models as part of the programme.
Partner firms comprise a number of Dutch cybersecurity specialists including Fox-IT, Secura, Qbit, Northwave, S-unit, Access42, DIVD, and Zerocopter.
Support comes from the wider business community too, including financial services firms ING, de Volksbank, Rabobank and ABN-Amro, and Deloitte.
Do the right thing
The young people on the Hack_Right programme have committed a range of offenses according to Ms Jansen. “Most youngsters were prosecuted for DDoS (often against schools), hacking, or phishing,” she said.
So far, the scheme appears to be working – there is no evidence that its participants have committed further crimes. But the Dutch authorities are not taking this at face value.
“The police have asked an independent scientific research consortium to evaluate the project and indicate if the program had an impact on the offenders’ behaviour,” Ms Jansen said. The results of this study are expected at the end of this summer.
Hack_Right was inspired, in part, by the UK’s Positive Diversion workshops, set up in 2015 by the National Crime Agency. Much of the NCA’s effort now focuses on potential offenders, or young people showing signs of crossing over into illegal activity online, through the UK’s Prevent and Protect programmes.
Hack_Right is unusual because it focuses on convicted cybercriminals and on preventing repeat offending. But the Dutch believe that early intervention pays off, not least by keeping young people out of the criminal justice system.
“Some youngsters can cause great damage with their IT skills,” said Ms Jansen. “The characteristics of these cyber offenders seemed to be quite different from other types of crime.
“This is why the existing interventions or punishments might not always be suitable for this group of offenders.”
The Dutch are also investing in prevention initiatives, however, by working with the UK’s NCA in that area.
Authorities in other countries are watching Hack_Right with interest.
“The project has been presented at different international cybercrime conferences and a few countries, both within and outside the EU, have stated their interest,” Ms Jansen noted.
“Some countries have been making follow up inquiries. Interest has been expressed by both law enforcement and the private sector.”
The programme is also attracting attention from the cybersecurity industry in the Netherlands and further afield.
“These initiatives work best when they are integrated with those that demonstrate proper career paths, and that you can earn as much, if not more, on the right side of the law,” said Ian Glover, president of industry body CREST.
“That is something that we, in the UK, are quite good at,” Mark Nicholls, CTO of pen-testing company Redscan told The Daily Swig.
“We’ve seen some good work from the Metropolitan Police and the NCA identifying people downloading obviously illegal software… we want to identify these people before they commit a crime and tell them they are heading in the wrong direction.
“As an industry, we need to bring in young people who have been experimenting with hacking on the wrong side of the law.
“Given the acknowledged skills shortages in cybersecurity, we need to do all we can to [encourage] appropriate pathways, so that young people don’t get drawn into the darker side of hacking.”