To be sure, that prescription is tongue-in-cheek, but it speaks to a hacking truth: Based on arrests of alleged Anonymous, LulzSec, TeamPoison, and other hacktivist group participants--not to mention many cyber-crime gangs--it's the rare participant who's over the age of 25--or even 19.
Clearly, the early 20s are an inflection point in most hackers' lives, when they transition from engaging in criminal activity to becoming law-abiding citizens. Accordingly, might outreach programs, perhaps involving older ex-hackers, help keep them out of jail? They might even steer would-be hackers into lucrative professions that put their skills to better use, such as penetration testing.
[ Megaupload founder says he'll come to the U.S. in exchange for a fair trial and access to his assets. Read more at Megaupload's Kim Dotcom Offers To Extradite Himself. ]
The question of whether outreach programs would be effective requires working backwards, starting with the reason hackers--who are overwhelmingly male--stop hacking. That's typically because they get girlfriends, jobs, children, or other responsibilities. "We see a lot of adolescent hackers just 'aging out,' and there are relatively few who remain life-course persistent," says cyberpsychology expert Grainne Kirwan, a lecturer in psychology at Ireland's Dun Laoghaire Institute of Art, Design and Technology, in a phone interview.
While conducting research for her criminology Ph.D., Kirwan interviewed about 20 hackers and found that the majority stopped hacking due to their changing life circumstances. "The chances are by the time they turn 18 or 19 they'll age out, and if they haven't stopped then, by the time they get married, settle down, and have kids, they won't have time to do this type of behavior anyway," she explains. "As they get older, their moral development gets better, and they don't have the ability to commit crimes anyway."
Kirwan said the aging-out phenomenon isn't limited to young hackers. "What we know from general criminology research is that offenders age out, and that they tend to age out when they start to settle down, find a significant other, and [other] factors that will reduce the likelihood of their wanting to offend," she says.
The prevalence of minors who hack hasn't gone unnoticed in law enforcement circles. Speaking earlier this year at the RSA conference in San Francisco, Eric Strom, unit chief for the Cyber Initiative and Resource Fusion Unit Cyber Division at the FBI, said the bureau believes that in general, hacktivist groups are run by a small number of people who combine "technical knowhow and the ability to impress upon younger people" the desire to launch certain types of attacks. But, he said, "the challenges of going after the larger group [of participants] is that most of them are minors."
How should law enforcement address that, especially when those kids' parents likely think their son is upstairs doing his homework, not launching a low orbit ion cannon distributed denial-of-service (DDos) attack?
To answer that question, it helps to know why hackers hack. In fact, most hackers--who are older minors or young adults--"are desperately trying to assert their own independence, and believe they can make a change in the world that their parents can't," says Kirwan. "They kind of forget that it's their parents' generation who invented hacking."
Many kids involved in hacking view their activities as a benign form of protest, when the laws--as currently written--can criminalize some types of related behavior. "They are sitting at their computer and saying, 'I'm not committing a crime,' because it doesn't feel like committing a crime," explains Kirwan.
The FBI's Strom said the bureau tries to draw a clear line between online protests and online attacks. "Certainly if they're just complaining about something, they have every right to do that--and we don't have any problem with that," said Strom. But if they hack into a system or go after someone in law enforcement and their family, that's a different story.
Also, there can be seeming inconsistencies between what's legal in the real world as opposed to online. "In the western world, we generally… encourage political activism, even when it might have a negative effect on business," said Grady Summers, vice president of Mandiant, speaking at this year's RSA conference. For example, workers can picket their place of business over poor working conditions, and people can protest in front of foreign embassies or set up Occupy Wall Street camps that may impact local businesses. But by comparison, "the digital equivalent of that--a DDoS attack that takes a site offline for a few hours--is clearly criminal," he said.
Should the laws pertaining to DDoS attacks, when launched for protest purposes, be changed? Regardless of wrong or right, in today's "must-be-seen-as-tough-on-crime" political arena, it's unlikely that related laws or jail times would ever be curtailed. Furthermore, do we really have a full enough understanding of exactly why people hack?
"What do we really know about hackers engaged in bad stuff? Do we have a proper, accurate, working taxonomy of people involved in cyber-criminal activity, cyber espionage, cyber warfare, and so on?" said Darkmarket author Misha Glenny, speaking at this year's RSA conference. "Who are the masterminds behind the attacks? Are they suave social engineers, are they highly skilled hackers, or are they psychopathic characters who combine both attacks?"
Another question concerns whether many hackers might also have Asperger's syndrome, a form of autism characterized by having difficulties with social interaction, and often also an affinity for obsessive or repetitive routines. Kirwan says a connection between hacking and Asperger's has been noted anecdotally because "it's a facet of some of the most publicized cases." For example, both the lawyers for NASA hacker Gary McKinnon and accused LulzSec member Ryan Cleary have said their clients have the disorder.
The Asperger's theory would handily explain why many kids hack, as well as why they're so good at it. "People who have Asperger's syndrome are less likely to find full-time employment or to settle down with a family," says Kirwan. "Another trait for people with Asperger's is they will find out everything they know about something they like." But she cautions against trying to reduce the cause of hacking to just a developmental disorder. "I certainly don't want to do a tarring with one brush," she says.
Keeping the potential Asperger's connection in mind, if most hackers do simply age out, could prevention programs be put in place to help deter minors before that happens? For example, why not turn to older, more mature ex-hackers to educate younger hackers about the risks, or to try and help them put their talents to a legal—and, given the state of the information security job market, likely quite remunerative--use? "Putting the two together seems like it would reduce the crime, but the next step is to test that and see if that's what really happens," says Kirwan.
Unfortunately--at least where Kirwan's hacking studies are concerned--hacking interviews and research conducted for her Ph.D. have given way to the responsibilities of a full teaching load. "It would be fantastic if I could buy out a bunch of my time and work on a project like this," she says. "But we'd need the funding to do that, and at the moment, that funding doesn't seem to be around."
So here's to a show of hands from businesses and government agencies that don't want to get taken down by hacktivists: Rather than locking up hackers after the fact, who wants to fund better hacking research and practical hacking-prevention campaigns?
Editor's note: corrected spelling of low-orbit ion cannon.
Black Hat USA Las Vegas, the premiere conference on information security, features four days of deep technical training followed by two days of presentations from speakers discussing their latest research around a broad range of security topics. At Caesars Palace in Las Vegas, July 21-26. Register today.