U.S. government board looks to curb teen enthusiasm for cybercrime

A U.S. government advisory board is pushing Washington to reckon with an unpleasant reality: Teenagers are increasingly participating in underground cybercrime.

Driving the news: This month, the Department of Homeland Security's Cyber Safety Review Board recommended that Congress explore funding juvenile cybercrime prevention programs that could help steer young people away from illegal hacking and other online crimes.

• The recommendation was made as part of a recent investigation into Lapsus$, a teenage hacking group known for its attacks on major companies like Microsoft, Nvidia and Rockstar Games.

The big picture: It's pretty easy for young people to get involved in cybercrime without their parents catching on, experts tell Axios, since using a computer or smartphone isn't normally considered suspicious.

• Meanwhile, a lack of education about what's considered illegal online makes young people uniquely susceptible to the allures and dangers of criminal hacking.
• "This stuff can be sexy, this hacking stuff," John Shier, field CTO for commercial operations at Sophos, tells Axios. "I remember being a teenager, and you always want to do something that's edgy and interesting and fun and maybe a little bit illegal."

By the numbers: About 48% of European youths between the ages of 16 and 19 self-reported in a recent survey that they engaged in criminal behavior online between the summers of 2020 and 2021.

• The European Union-funded survey released in December was conducted among 8,000 young people across nine European countries, and it's considered one of the largest, most definitive reports measuring youth cybercrime activities to date.
• The survey found that one in 10 teenagers had participated in criminal hacking, while about 20% had used illegal virtual marketplaces and 12.5% had done some form of money laundering.

What they're saying: "The generation that has grown up almost entirely online and with smartphone devices are engaging in cybercriminal practices," Dr. Mary Aiken, a co-author of the EU-funded study and an online safety adviser at Paladin Capital Group, tells Axios.

• "This is not a pretty picture of the youth of today; this is a very concerning picture, and it needs to be tackled on multiple fronts," adds Aiken, who also advised the Cyber Safety Review Board's recommendations.

State of play: Juvenile cybercrime prevention programs have been cropping up across Europe in recent years, serving as potential models for the U.S.

• The Netherlands and the U.K. paved the way in 2018 when they started their joint Hack_Right program.
• The Netherlands ended up expanding those efforts in 2020 and created its Cyber Offender Prevention Squad, while Finland also started its own program that year.

• These programs typically focus on two missions: Raising awareness and educating young people about cybercrime, and rehabilitating youth cybercriminals to reduce recidivism.

Between the lines: Many of these programs focus on traditional hacking and computer crimes. Aiken hopes that if the U.S. takes up the review board's recommendations, officials will expand such a program to include "gateway" online behaviors.

• Aiken's research has found that teens who have participated in risky behaviors — like digital piracy, cyber-stalking and sexting — are more likely to later engage in more obvious criminal acts, such as hacking and money laundering.
• "There's no point in [just] talking about hacking because that may not be the entry point," she says. "The entry point may, in fact, be something as relatively benign, but still criminal, as digital piracy."

Yes, but: DHS declined to say whether any lawmakers are interested in taking up the board's recommendations, and it's unclear which federal agency might be willing to lead such an initiative.

• Aiken says she's met with officials at the White House in the last year to discuss her findings, and she's also seen interest in tackling the problem at the Department of Justice and DHS.
• "Everybody is involved in a part of this in some way, and what it needs is one agency to lead," Aiken says.

Sign up for Axios' cybersecurity newsletter Codebook here