The Biggest Risks in Cyber: Curious Teenager Edition

While some teenagers play Call of Duty® with their friends, there are others more inclined to explore the dark side of the internet. 

According to the Kaiser Family Foundation, children and teens ages 8-18 now spend 7.5 hours in front of a screen each day on average. And today, access to illicit content is more prevalent than ever through availability of resources, forums, and inquisitive thinking.  

From vulnerability exposure to financial gain, teenagers, as tech natives, pose a huge risk to cybersecurity and are becoming more sophisticated in the type of hacks and attacks they attempt. 

Just in the past year, there have been numerous major breaches that were led by young cyber adversaries. Bloomberg reported that a string of high-profile hacks against technology companies, including Microsoft and Nvidia, have been traced backed to a 16-year-old living at his mother’s house near Oxford, England. They allegedly belong to the notorious Lapsus$ hacking group. In September 2022, the City of London Police revealed that a 17-year-old had been arrested on suspicion of involvement in the recent cyberattacks targeting both Uber and Rockstar Games, according to reporting by Security Week.

@MatthewKeysLive Tweet reads: "#Breaking: Police in the United Kingdom have arrested a 17-year-old suspected of hacking Rockstar Games and leaking data associated with Grand Theft Auto 6."

With the ever-growing prevalence of online gaming among teens, most children will be aware of ‘hackers’, even if it is within the context of a game. This opens the door to actively challenging systems, motivated to affect grades, create havoc, or derive financial gain and research into more serious hacking.  

Even a basic search of how to hack will result in the discovery of some incredibly dangerous resources that could allow even untrained and inexperienced teenagers to cause issues. For only £7 a month, there are ethical hacking training program subscriptions that will teach users to properly utilise and understand those resources. With the amount of free time and growing independence during this stage of life, it is easy to upskill to a worrying and threatening level within a year.  

Teenagers with an interest in hacking will often arrive at online forums where criminal hackers discuss their exploits and teach others how to achieve the same outcomes. We face a situation with the internet giving young adults knowledge and skills to cause damage, with little direction, governance, or consequence. It is no surprise that so many end up on the wrong side of the law.  

What can be done?  

Unfortunately, there are few meaningful outlets for skilled teens at the time of writing. Teens are considered too young to start building a career from their skills. Online “capture the flag” exercises can be fun, but rarely mirror real-world ethical hacking, or penetration testing. Bug bounty programs are equally unhelpful, as successful bug bounty hunters tend to be extremely experienced. Even talented teens are unlikely to find their curiosity satiated by these outlets alone. 

Recommended Reading: Penetration Testing Services vs. Bug Bounty Programs 

Naturally, they seek other opportunities to test their skills. Proof-of-Concept (POC) code for new vulnerabilities, known as “Zero Days”, can be tempting. Once a POC exists on the internet it’s a race against time for system owners to patch their systems or be hacked (see: Log4Shell).  

Some POCs are “point and click”, taking only a few seconds to execute a sophisticated attack in a world where information is king. Stolen databases are worth good money to the right buyer. Even where teens may not knowingly steal and sell data from systems they successfully hack, just attempting to access a computer system without authorisation represents a breach of the Computer Misuse Act 1990. The maximum sentence for convictions under this legislation is life imprisonment. 

Despite this, there seems to be a perception that people caught hacking are given government jobs rather than a criminal record, but that is rarely the case. Instead, those with a chequered past are more likely to face frequent rejection by employers in a demanding cybersecurity industry.  

More needs to be done to get people on the right path from a young age. The cybersecurity industry, together with the national government, need to guide the next generation of cybersecurity professionals.  

The introduction of nationally recognised certifications specifically for young people could be a great place to start. This would expose children to a positive path before they use their skills for nefarious purposes. Particularly talented young people could then progress to the certifications used by industry professionals, providing a structured path for continued development. Ultimately, people with the right skills and motivations will be welcomed into the industry to utilise their skills for good – whilst getting paid well to do so.

Discover why security operations teams choose NetSPI.