Subscribe
Share
Share
Embed
Threat Talks is your cybersecurity knowledge hub. Unpack the latest threats and explore industry trends with top experts as they break down the complexities of cyber threats.
We make complex cybersecurity topics accessible and engaging for everyone, from IT professionals to every day internet users by providing in-depth and first-hand experiences from leading cybersecurity professionals.
Join us for monthly deep dives into the dynamic world of cybersecurity, so you can stay informed, and stay secure!
The doorbell rings and there is a package.
The package is not for you,
but for your eight year old son.
That's a surprise, but the next surprise is
even bigger: in the package is an AK-47.
Now, this is a true story,
and this episode is all about
how we educate our children
in a digital world.
My name is Lieuwe Jan Koning.
Welcome to Threat Talks and here
from headquarters at ON2IT,
we bring you the next episode:
From hacker to hero.
Let's get on to it.
Welcome to Threat Talks.
Let's delve deep into the dynamic world
of cybersecurity.
I'm thrilled to announce
our guest of today.
While I'm in the Netherlands,
he is actually in New York
in the United States.
William McKeen. Welcome.
He's a former FBI supervisory
special agent.
What that actually means,
we'll hear in a minute.
And today he is a founder
of The re_direct Project.
And well, we're going to talk
about how children end
up becoming a hacker
sometimes a very young age.
And what can we all do about this?
William. Morning.
Welcome. Thank you.
Great to have you on the show.
Do you have any children?
Yeah, well, not old enough to be a hacker yet,
but a four month old baby girl,
A four month...
So, when you're yawning, you're actually
excused during this recording.
Thank you.
I can imagine. It's the sleep deprived
phase of fatherhood, I think.
Okay. Yeah. Okay. Good luck with that.
So, like I said in the introduction,
you are a former FBI agent.
Can you tell us a little bit,
what was your job?
What did you do?
Yeah, I was in the FBI for 15 years.
I spent almost all of that time in
what the FBI calls the cyber division.
And I was almost exclusively focused
there on financially motivated cybercrime.
So not our nation state actors,
those folks who are engaged
in kind of espionage campaigns,
but cyber and cyber fraud
and those people who really don't care
who they're compromising,
they just want to make
as much money as possible.
And so I spent most of my career
in the FBI working on
financially motivated cybercrime work.
Can you explain a little bit
how that works?
I mean, are you behind your
computer all the time,
are you seizing servers
and data centers?
What was your day job?
Yeah. All of the above.
And any good FBI cyber agent
will tell you that
they spent a lot of time
in the Netherlands, too.
So, lots of good work that we did
with the Dutch police there.
But, yeah, just about everything you've said
there, working behind the
keyboard to understand,
you know, the crimes
that are occurring online,
but also understanding, since it's
a financially motivated crime, like where
that monetization point
was for those bad activities.
So if I'm compromising a computer system
to make money, where is that
money actually flowing?
And even though it sounds like
big scary ones and zeros, it's
actually a lot more about following
dollar signs and euro signs, right?
Where is that money ultimately going?
Because that's the motivation behind
what the bad guys are up to.
So I spent most of my career
working out in, you know,
I think the world would
call the field, right?
I was out interviewing people
and investigating and
working in liaison with companies.
And that's really what gave me kind
of the window into understanding
how cybercrime really impacts people
and the understanding of the companies
and the people who are affected
by those kind of hooded faces
behind the keyboard, with the binary code
scrolling behind them, like
what was actually happening
with those keystrokes.
Yeah.
And I can image, it's sometimes difficult because
when you start investigating a crime, you don't know
where and in what jurisdiction this person
is. Correct? I can imagine this is hard.
I mean it's easier to try to get a
bank robber, like a physical one.
Right?
Because that person probably is
close to the actual bank, right?
But now they could be indeed
in the Netherlands or maybe in
nations where there's no
real good collaboration.
I can imagine, a hacker
from Russia, for example.
It's going to be difficult.
Think about trying to solve the
Louvre art heist without having
a video of the bad guys actually
leaving the museum, knowing the license
plate of the car that drove them away,
and having the security footage in
almost any major city showing you
their exact path that they've gone on.
Right.
These are folks who planned
that crime for years, and we're still...
They were caught yesterday, right?
Caught within a couple of weeks of the act.
What we have here is just those digital
fingerprints that we're trying to use to
peel back all of these layers of
obscurity and figure out really
who is behind the keyboard
and who's doing these cyber crimes.
And do you have to sometimes
also try to get into their systems?
It's perfectly fine if you cannot
say anything, like I would,
I could understand,
but does that also work
sometimes that you go try to approach them
to gather more evidence,
for example? I think a lot of people
will see cyber crime
and say, oh, that must be so different
than any other type of crime you work.
But ultimately it's still a person behind the keyboard.
And what the FBI did better than anyone else
when I was there, was recruiting
those people who are inside the network
to be able to work with you,
to give you that insight.
You can have all kinds of obscurity
and VPNs and proxy servers,
but if I've got somebody working for me
who's inside your criminal enterprise,
none of that helps prevent
me from finding out who you are, right?
Yeah, we actually hear that a lot. We did episodes
on the maritime industry, for example,
and they have an issue, because you
never know who you're actually hiring.
And we, of course, we've seen Manning
and Snowden, for example, different things.
People use screens and you can use this
mechanism to your advantage as the FBI.
So that helps you a lot.
Yeah, absolutely.
You have a few examples of really
young kids from time to time,
I mentioned one in the introduction,
someone who got an AK 47 delivered...
You have a ton of these examples,
how things at a surprisingly
young age sometimes
are really, really savvy
and do the craziest things.
Can you give us a few examples of
things you've encountered in your career?
Yeah.
You know, I think, working
financially motivated cybercrimes
took me to West Africa,
took me to Eastern Europe.
I worked cases on folks
from Southeast Asia.
Those are not surprising places to hear
that there was a financial cybercrime
coming from. But in the last few years
of my career, we found that the
call was actually coming from inside
the house, right, to use a movie quote,
and that the bad actors that we
were seeing engaged in incredibly
sophisticated cybercrimes were children.
They were teenagers,
and they were US born citizens
just going to school every day
and coming home
and engaging in incredibly
sophisticated cybercrimes.
So I can talk about a 17 year old
who hacked Twitter,
and caused an untold amount of
chaos there within the company.
They still recognize it
as one of the biggest cyber intrusions
in the history of a social media company.
There was a 16 year old, from Australia,
who hacked Apple and Apple
spent months trying to figure out
how to get this guy out of their systems.
And it turns out he was just motivated
because he wanted to one day
get a job at Apple.
And even in January of this year,
a 15 year old who got his start
in hacking or computer intrusions
by trying to hack
into the Italian Ministry of Education
so that he could change his grades.
And this is, you know, a famous,
this is Ferris Bueller, right?
From the 1980s movie of hacking into the
school to change your grades.
That didn't cause enough harm
for any law enforcement response.
But a few months later,
when he chose to hack into the navigation
systems for ships in the Mediterranean,
that got some people's attention.
And so you think about a 17 year old doing
something to a major social media company,
a 16 year old hacking one of the biggest
and most secure companies in the world,
and a 15 year old having ships
go out of control in the Mediterranean.
And then to your point at the top,
right, we have an eight year
old who successfully purchased
an AK 47 online.
That was some of the most...
A fellow Dutchman. My apologies.
He is a fellow Dutch,
yeah, but
what he's doing now, I think is
actually pretty cool, is he's helping,
Right.
And that's what the theme of today is.
He's helping people,
helping other young people
not make those same decisions.
And I think that's where this is
so interesting is we have this population
of young folks who are engaged
in things that are world shaking
and industry rattling cybercrimes
that you would think
are the exclusive remit of nation states
or sophisticated organized crime groups.
But instead it's kids.
Yeah, a single kids apparently bringing
down these large organizations,
and not necessarily because,
I mean, the FBI is involved,
you don't do that if you made a very stupid mistake
or didn’t forget to patch one single system.
Those are advanced attacks, correct?
Yeah, they can be very advanced attacks,
but in other instances
they're just calling in and socially
engineering their way into companies.
They're calling into the customer support
desk and impersonating an employee,
to get credentials,
or they're using a very,
very clever known vulnerability
that hasn't been patched,
to your point. They don't have to be
sophisticated to be devastating.
Yeah.
So and the FBI gets called
when there's impact, right?
It doesn't really matter,
of course, how it's done.
So you get involved
when people are worried.
I also understood that there was someone
in Florida that changed the pH value
the amount of acid in the water,
in the drinking water system.
Yeah, he was able to gain access
to the industrial control systems
and change the, like you said,
the pH level of the water supply.
That's the kind of cybercrime that
would make nation states envious, right?
We have entire units of hostile regimes..
[ ] can do this.
Yeah.
We'd rather have this 17 year old on board
to make sure that that cannot happen again.
Absolutely, right.
And that's one of the unique things
about having a native US,
you know, English speaker involved in
this is the problem is also the solution.
For every one of these incredibly wow factor
cyber attacks that they're engaged in,
they can be rerouted or redirected
to be a cyber defender, to be a cyber hero
instead of a cyber criminal.
Yeah.
Imagine you're a parent of one of these kids.
Let's talk about that a little bit.
I mean, how do they get there?
You've been thinking about it.
There's lots to investigate in this.
There is a reason or a mechanism or
apparently it's somewhat easy to get
involved in, well, first of all, hacking.
But then these kids also end up as part
of criminal organizations even.
Can you give us some insight on how that happens
and how the kid psyche somehow works
and gets into a state that
it's possible like this.
Yeah. It all starts with curiosity, right?
It starts with puzzle solving.
Our kids go online at an earlier, earlier age
than our generations did,
and they begin with playing games.
Almost all of our future
cyber criminals start as gamers.
And that's not to say that
gaming is a predictive factor
to becoming a cyber criminal,
but it’s that first exposure to puzzle solving-
I hope not,
because we have to let go half of our staff.
Right? I would be a hypocrite too, because I
got plenty of time spent on games
but never became a cyber criminal.
Right?
But it certainly helps to be tech savvy.
That's where it starts.
I think that's exactly right.
It starts with some of that tech savviness.
It starts with that exploring and wanting
to solve the puzzles of the game.
And another big difference
from our generation of gamers
and the modern generation
that we're seeing with
this rise of teenage cybercrime,
is that it's community.
When I grew up playing video games,
I was playing those games by myself,
or if I was playing with friends,
they were sat next to me
on another controller. Right?
But now, the minute you become active
on a game, you're meeting people
and people are finding you.
It's not you seeking out community.
That community is finding you.
And just as likely as that's a good voice,
a positive voice
telling you all the wonderful,
rich things you can do in cyber.
We actually know that that's people
who are using this for nefarious purposes.
One of the things that I think
would be unsurprising to parents
is that you might encounter
someone on there as a young person,
you might find someone on there
who wants to exploit you.
But what is a surprise
is that there's someone on there
who wants to work with you or offers
you something tantalizingly valuable, like,
you know, we think about Roblox and
I want ten Robux so that I can buy
the special thing for the game.
And you go to your father
and you say, hey, can I have ten Robux?
And being a very good parent, you say, no.
And that's usually the end
of the conversation, right?
If you're in a physical store, in the
supermarket, in a department store,
and your parent tells you no,
you can't have the money to buy
that thing, well, that's generally the end of it.
But online.
For those who are unfamiliar
with Roblox, it's this big platform
where people can offer some games,
and it's a digital world,
basically, lots of communication happens.
You can get into different worlds.
It's almost like Ready Player One, right?
It is the definition of choose
your own adventure, right.
It is not the traditional thing
you think of,
if you think of a video game
as being a single game you play,
and maybe there's an open world
within that video game.
These are open worlds for you to
then find games to play.
And there's people there, and there are
conversations you can have with them.
You can meet community. There are amazingly
rich and rewarding and wonderful things
that can happen on the game.
And that's where some of this discovery
and an interest
in tinkering and experimenting
and breaking things starts and
breaking things is hacking.
But hacking isn't the bad word, right?
It's cybercrime that's the bad word.
Hackers are the way
we made it to the moon.
Hacking is the reason we're talking over
a video call across continents, right?
Hacking is a wonderful thing.
It's becoming a criminal
and using those hacking skills
to harm someone else, to steal money,
to engage in some sort of harmful activity
that becomes the thing
that we're trying to discourage
and instead encourage
use those hacking skills to be the reason
why we're talking over a Zoom call
and able to communicate and see each other
in high quality video over the,
you know, the Atlantic, right?
That's a wonderful thing
that hacking brought us.
Yeah.
But I mean if a kid is like 25 years old
their moral compass is developed, right?
So then well, if your education
is not too bad then probably,
they won't fall easily for
these kind of things.
But an eight year old,
I have an eight year old, actually,
and he wants to go to Roblox
and that's actually
because his friend in school, she says:
Daddy, daddy, it's almost six o’clock.
I now need to go online, because
my friend is on Roblox as well.
We meet up there.
So that's a young age, right?
So yeah, maybe, indeed, if I say
no, I won't get you those credits,
because that's what you said,
so someone else might be
offering credits there.
Roblox coins or what was the
name of it? A Robux. Yeah.
Like it's exactly right.
The community that you can
meet on there might be great.
It might be your classmate from school.
But it could also be a complete stranger
from the other end of the world
who is finding fertile ground
for the recruitment of someone
to help them in their schemes.
You know, you asked me for a few examples.
Another Dutch example term
from just about a month ago
was two Dutch teenagers who were arrested
for spying for the Russians,
and they met their
Russian agent on Telegram.
So we think it could be the child predator.
That's the one the parents are worried about.
Could be Russian spies.
It could be arms traffickers for the eight
year old who bought the AK 47.
Or it could be organized crime gangs
that are on there who want to recruit you
as someone who can help them
launder some cryptocurrency
or get access to a
computer system for them
so that they can make more
money or steal some data.
You don't know who you're talking to
on the other side of that computer screen.
Do the kids know
that it's the Russians?
Is it like so much in disguise that
they think they're doing a good thing?
They believe they do the right thing?
Or do they actually understand and
they’re fine with it, is it that far?
With all of these folks, it's the same
kind of pattern that you see with
terrorist organizations, with extremist
groups and with cybercrime gangs.
It's the socialization to criminal activity,
the desensitization to engaging in it,
the reward kind of mechanism that says
it is good for me to engage in this.
I'm receiving positive feedback
from this person who I see as a mentor
or I see as someone to emulate.
And once you have desensitized and socialized
a person to that criminal conduct, now
it's time to operationalize them
and have a young person go do that thing.
No one really joins a gang
thinking, I'm going to commit
acts of violence in the name of the gang,
they're joining for a sense of community.
It's exactly what's happening with these kids
is they join for that sense of community.
They join because this is a person
who understands them or gets them
or has the same interests as them.
And once they're a part of that group,
they desire to continue to receive
that feedback of being
a member of the group.
And to do that, I start
committing cyber crimes
to prove my worthiness
to this person or this group
that I really want to value the
relationship of. Tie into the emotions,
then. It's absolutely emotional.
Are you worried about AI development?
Because I can imagine right now
that it may be a subset of all the people
that are in Roblox or in
Telegram or whatever it is.
But in light of AIs, I mean, they can be like,
it can be a one to 100 ratio. Right?
So, for every real person,
there's a 100 fake ones.
And we are quite capable,
I think, especially as criminals,
to make a bot trust you,
we already see this in, well,
grown up people fall for it, right?
So that must be worrying for you as well
this thing or do you feel differently?
You'll have to bring me back for a whole
nother episode to talk about
my worries with AI, but yes, it is,
it is very concerning, that
young people won't be able
to tell truth from fiction because we as
adults are having a hard time with that.
Right?
And it's not only that,
but it's also the ability to exploit
a young person who you're
trying to cause some harm to
or manipulate, because now,
I can use artificial intelligence
to make it look like you've done
something you've never done.
I now have the photograph
or the video proof
that this was something that I get
to show your friends that you did.
And even if it's fake, if it feels
real enough that can coerce
a young person into doing something
they might not have wanted to do online.
Yeah.
We need to come up with new safety things.
At home, we've been talking about
safe words like, you pose...
You agree on a password to validate that
me as a parent, I'm actually the parent, right?
But then also your child, if he wants
to validate that, he says something.
For example, you could say,
oh, did you see the..
what our parrot said yesterday,
we don't have a parrot.
And then ‘parrot’ is my signal
word and I say, yeah,
he said it was, really great sunshine
yesterday, something like that,
and then you have established,
like, an authentication.
Do you think we need to train ourselves, both
children and adults, to do these kind of things?
Like I... we could do a separate episode of that.
I couldn't agree more that a safe
word is great for kids to validate that
the person that they're meeting in person,
you know, if my parents had this for me,
what's the... if a person comes to pick
you up from soccer practice or from camp
and they don't say the safe
word, you're not going with them.
That can also work for companies
so that when the CEO is messaging
the chief financial officer to say,
I need you to send this money right now,
the CFO can say, ma'am, I'm not doing that
until you tell me the safe word, because,
no AI will know the company safe word.
It can be trained on this call, right?
AI can be used to impersonate both of us.
Having had this long of
an audio sample of us.
But if it doesn't know that safe word,
we're not sending the money.
We're not, that kid's not getting in
the car with that person.
So, yeah, it -
Real people authentication.
We need to rethink this.
Yeah.
Code word authentication.
Yeah. Yeah.
On the subject of how children
fall for this, to summarize,
they want to belong to a group,
their parents who are,
well, with good intent,
denying stuff for the kids.
They can find the same stuff
somewhere else, or that's
what's appealing to them.
Maybe their moral compass
isn't shaped enough yet.
It’s a bit more weak, naturally, it's
not the fault of the parents, of course.
Any other mechanism that you're worried
about that you see in the real world
that play a role in this... mechanism
of children getting to the dark side?
What you've just said,
I think is exactly what
parents need to know,
is that we’re ... I liken it
to giving kids the keys to the car
without driver's education.
And a good friend of mine, Fergus
Hay, who we'll talk about in a minute,
who's one of the founders of
The Hacking Hames, says it great
that kids are learning coding in school,
but not a code of ethics.
And that's what's happening is
we have these these digital natives,
folks who have grown up online
from a very early age.
You know, you have three year olds
who are surprised that
the photograph hanging on the wall
isn't a touchscreen.
Because everything is a touch screen.
Fingerprints on the television.
Yeah.
That's why the television
should be a touchscreen. Right?
The digital natives that are being raised
by digital immigrants.
And then we have our..
And that's not our parents fault.
That's not our fault for not understanding
this world that our kids are getting into.
But we need to understand it.
We need to know what those questions
are to ask about that online time.
So what can we do as parents?
Let’s ... what can we do in general,
so let's first talk about parents
and we'll talk about
what companies
or organizations can do as well.
But as a parent you're concerned
about this, concerned about Roblox,
I mean, you can deny Roblox,
for example, is that a solution?
Yeah. You can try certainly,
the offline option,
but I imagine you'll be met
with quite a lot of resistance.
And instead we should accept that if
our young kid- I would say even worse,
you don't prepare your child for
the world they're going to be in anyway.
Yeah.
No, that's absolutely right
that by denying this reality of
what is an online world, you are,
you may be doing a disservice
for preparing your child for the future
that will inevitably go online at some point.
And, you know, I think as
a parent, I would encourage,
be curious, ask questions,
understand what they're doing online.
You know, if we left our eight year
old, if you left your eight year
old on the playground alone for hours,
which I wouldn't recommend,
but even if you did and you
came back to pick them up,
you would have an awful lot of questions
about what happened during that time.
Who'd you play with? What did you do?
Did anything interesting or weird happen?
Right?
We know how to ask those questions
about in real life interactions
that our kids engage in. So be curious.
Be engaged, understand what this is.
So I should ask my son, how was Roblox?
Yeah. Who did you meet? Did you have fun?
You know, to use the playground
example again, if you think about
a kid going out, maybe it's not
being left unattended,
but they go to a party where
they're going to spend time
with a bunch of friends,
and then they come back home
and they're dropped off at home
just in time for dinner.
You would ask all kinds of questions
about that party, but if instead
your eight year old spent the afternoon
on Roblox, would you ask any questions?
Or would you just think, oh
well, they were on Roblox this afternoon
and that's all I need to know.
We're not asking those questions about and
engaging with and understanding their life.
You can ask and like I said,
be engaged, show me Roblox.
Show me what's happening on here.
Ask questions.
I mean, that's just a parent being engaged
and interested in the interests of your child,
but it's also helping
you learn a little bit and understand,
like what's going on up there
in their brain.
And who are these people
that they're talking to?
What is this community?
Is that a friend of yours
that you talk to every day?
What do you know about this person?
Why don't we do this already?
Why is it not second nature of parents?
I think that we see time spent on video games
and the computer as dead time.
It's just, that's the activity,
is being on the computer.
And if you remember 25 years ago,
30 years ago, that is true, right?
I remember my father yelling from his
home office, no one get on the phone
because it would kick us
off the internet, right?
That's not reality anymore.
Tthat was the solitary event,
to be on the computer, to play
a video game was to be spent by yourself,
or with a friend sitting next to you
playing the game together.
Now it is an entire online universe
where you're meeting people.
You're engaging with people
that are from all over the world,
and that can be wonderfully enriching.
But it is something for us
to be just as concerned about as well.
Right? Like, we would ask
who was at the birthday
party, who were you hanging
out with this afternoon?
What did you do?
We should just ask the same questions
about digital life.
Yeah, like you said,
parents are digital migrants,
and we need to understands
the digital native world.
Otherwise we cannot, we don't live it.
It's too unknown for us.
We should adapt. Yeah.
And so we should be curious.
We should understand that thing.
It's no different to me than just keeping
up with the next generation's interest.
We would do this when it comes to music.
We would do this
when it comes to entertainment.
With arts, with all other kinds
of aspects of the culture around
what a young person our next generation
is experiencing online,
we should just, or in their real life
all over, not just online, but we should
we should really pay attention
to what's happening there
because that's a real
we know that that's the common
kind of path, is the gaming,
the activity online.
That then leads to some more dangerous
and risky things, you know, and
I used to say in the FBI, I want kids
who never want to meet law enforcement,
to never have to meet law enforcement.
You never want to have to meet a police officer,
because maybe you just don't like them.
And that's okay.
You don't have to like the police,
and hopefully you never have to meet them.
But if you keep going down
the path of committing cyber crimes,
that choice is going to get made for you.
Because to your point,
at your opening,
the next knock at the door
might not be the DHL package
with the AK 47 inside,
it might be the police
coming to ask some questions
about how you got that AK 47.
So you're talking about,
keeping kids on the right path
and educating them on that.
Can you tell me about The re_direct Project
that you're a founder of?
Yeah. Thank you.
That has everything to do with this.
You know, my last few years in the FBI, I spent
really, really focused on juvenile
cybercrime and seeing that young people
and not just these anecdotes
that I've shared with you,
but really, there's some studies
that up to 80% of teenagers
in New York City have either committed
or been the victim of a cyber crime.
By the time they're 16, that's 80%.
And when you think about cyberbullying,
extortion, the other kinds of things
that really can follow you home now
as a young person, the need for
young people to be educated
and for parents to have a resource
to go to, to understand those places
that they need to learn about,
their kids are going to online.
I recognized that there was a need
for a central kind of organization
that could foster these resources
and really provide that
mentorship for young people
from the moment
they're active online to the moment
they get their first job in tech.
And so I founded an organization
we called The re_direct Project.
And it kind of has that
helpful little double
meaning of a redirect request online, but
also redirecting some of that behavior,
to kind of provide a central place
for those resources.
And we're a relatively nascent organization.
Just getting started earlier
this year, to build that
central location for resources for parents
as well as for justice involved kids.
And, what I mean by that is like
a young person who has found that
they've committed a crime serious enough
that the police have gotten involved.
But, you know, this is a young person.
They're 15, 16 years old,
and kids need help, not handcuffs.
That's, when you become a 15 year old who's now
hacked the shipping lines in the Mediterranean.
That's far more grand of a criminal conduct
than I think a lot of people would
think a 15 year old capable of.
But that's something that
shows a level of creativity,
curiosity and skill that should
be harnessed and rewarded.
Certainly not the crime itself,
but the interest in those things
and to be redirected
in a positive direction so that hopefully
we can turn a cyber attacker
into a cyber defender.
I'm guessing that you don't want to wait
until the police is at your doorstep
and telling you that your son or daughter
has done something bad online, right?
Well, yeah, that feels
already too late, you know?
Yeah. So, how does The re_direct Project,
how do you get in early then?
Well, at the at the risk of saying
I'm just plagiarizing
a bunch of good work that some
Dutch folks are already doing,
I'm trying to bring over here to the United States
some of the great work that's being done
by a private company in the Netherlands
and also by the Dutch police.
So there's a company called Hack Shield
that is a wonderful program
for elementary school students
to learn digital citizenship.
And it starts with gaming, right?
It's some amazing work done
by some career professionals in gaming
who have come up with this
very engaging game that you play
with your teacher at school,
and you can play it by yourself online too.
But Hack Shield is really designed
to be played in class.
And what a cool thing for a
first grader to go into school
and say, hey, today we're
playing video games in class.
And the kids actually get taught to know
something about password security,
to know about staying safe online.
And they've seen dozens of examples
of young people going home
and telling their mom, like, hey, mom,
you know, you have a weak password.
I love it.
That's the, y’know, when we’re starting early-
So you try to find a broad audience, then
So you put it in schools.
All kids should be there, right?
And start early. Prevention really start at the beginning.
I call it all carrot, no stick, right?
We're not punishing anyone
for their desire to be online.
We're showing them the wonderful,
beautiful things about being online.
You know, you want to see that as a positive thing,
you don't want to immediately
associate this with the bad activity
that can happen.
But let's highlight some of the
wonderful things that you can do online.
So The re_direct Project is actively working to
try and bring Hack Shield to the United States.
We currently don't have anything
like this in the US to train
elementary school kids,
on their digital citizenship.
And to your point about reaching kids
before law enforcement gets involved.
Well, the Dutch police have
a program called Reboot Camp
that is for young people who have engaged
in maybe some risky behavior.
Think about that kid who hacked in
to try and change his grades in Italy.
And I see that happening
all the time in the United States.
High school aged kids who are finding
a way to get into their school
because sometimes your
first hack is often the hack
you know, it's the school,
it's something in your community.
And so- And a very clear reward.
A very clear reward right, now,
even though it doesn't look
like I'm doing my homework,
you know, my parents will see that I have
great marks or as one kid- See mom, I'm great,
I don't have to do homework.
Well, a 14 year old in
the United States last year,
not only did he find a way
to change his own homework marks
to make it look like they were completed,
he started selling the ability to do it
for anyone who was using the same homework
curriculum management system.
For about 25 bucks, he could mark
your homework as completed for the week.
And so young people were paying him
quite handsomely for that.
Now this guy is actually an entrepreneur.
He should go to Silicon Valley and be
mentored there and stick to the right path.
Right? That what you're after?
Absolutely, it’s how do we take those energies,
because Silicon Valley
is filled with people
who were teenage cyber criminals
who just never got caught.
You know, there's a friend of mine
who's a very successful CISO
of a major company who, when he was 16,
hacked the local telephone company
and routed all of the toll free numbers
to his best friend's house, as a joke.
And that's a good one, right?
It's a good joke.
Thankfully, he found a different path into cyber
and is now a very successful cyber professional.
But if he would have been caught
for that activity, he could have,
that path could have been
a path of lifelong consequences
of criminal justice involvement.
So what do we do with punishment then?
If kids get into this,
lured into this either by someone online
or by some reward to get the credit
and they get caught?
What should be the good response here
from parents, from law enforcement?
Yeah, we have to recognize
that someone was harmed here, right?
So that can't be ignored.
And we can't just say, hey,
hack good enough and we'll find you
into the recruiting pipeline
of The re_direct Project or The Hacking
Games or the Dutch police, right?
So there has to be consequence,
there has to be remediation,
there has to be reconciliation.
And, to give credit to another
Dutch program called Hack Right,
for first offense, young people
who commit a cyber crime,
they do have consequences.
They go to court, they plead
guilty to a cyber crime.
But they are then partnered with a private sector
mentor for that period of supervised release.
So probation instead of incarceration,
where they learn what they did was wrong,
they work on a project to help make
the world a better place, a safer place.
In one case, there was a young person
from the Netherlands
who was running a global
denial of service campaign.
And his punishment, if you call it that, was to spend
three years working with a Dutch cybersecurity company
to write a DDoS protection tool
that the company could then use.
And now that guy has a successful career in cyber,
and I don't even know who he is, right?
I just know his story and that's great
because he's not suffering these career
consequences of something he chose to do
when he was a teenager.
I made a lot of bad decisions
when I was a teenager,
and I'm thankful that I'm not punished
for those because I don't have, the world
find out about them because I've hacked
the shipping lines of a company
or, you know, there is a 17 year old who
hacked the transportation system for London.
Those are the sort of world
renowned cyber crimes
that these folks
are going to be known for forever.
So how do we reach these people before
they become infamous, so that hopefully
they can become famous for being a cyber
defender with those same skills?
Yeah, being in the cyber business myself,
I really I'm very much in favor of less hackers
and more engineers that can
fight the remaining hackers.
So. Yeah.
Well and to give a plug for another
organization that I'm involved with,
it's called the Hacking Games.
And Hacking Games is doing just that.
We are building a generation of ethical
hackers to make the world a safer place.
And we're also starting with games.
So the Hacking Hames will be launching
the very first Ethical Hacker
Esports challenge, coming up
in the next few months.
And that is to recruit young people
who would be attackers,
to find those career opportunities
in cyber, to become
an engineer, to become a red teamer,
to become a pen tester.
You can do really destructive,
cool creative things online.
But just you got to do it within the confines
of what doesn't hurt someone else.
You can be the first person to demonstrate
how to hack a car and take it off the side of the road.
That's already been done,
but that was a hacker who did that,
but he had permission from the car company
to do it, and he's kind of famous
for being the first person to hack a car,
and that's pretty cool.
And he didn't have to worry about his door
getting knocked on by the police the next morning.
So there's a lot available.
So if you're listening
and you're in your car, you're like,
I want to go to these.
Well, they're all in the show notes,
so don't worry.
When you get home, just look at them
and all the links are in there.
We'll make sure they're in there. Great.
So we talked about, as a parent,
how you would cope.
I have one more question about this.
What if you suspect that your child
is going the wrong way online somehow
but you're maybe personally
not savvy enough or you don't know,
or you have a bit of distance
between you and he’s [ ]
What would you recommend a parent to do?
Yeah, it's a really difficult question.
Right? And this isn't unique to cybercrime.
We've experienced this
for centuries of what
do we do with our kid who seems
like they're up to no good?
What do we do with our kid who seems like
they're going down the wrong path?
And it is so important just to try and engage
with them, to understand what's going on there.
And that was one of the, you know,
when I said to be curious, be engaged.
But you also have to be skeptical
and you have to be willing
to intervene in situations where
you feel that things have gone awry
because that path is a very slippery slope
that can go poorly really fast.
And so I do think that parents
just have to stay engaged.
It's a fantastic question of what to do
if that relationship is not
one that feels open to to those questions.
But there's there's just such a potential...
Pause and rephrase my answer here.
What we see in comparing the way
that young people in real life
kinds of wayward paths go with our online
is that it happens so much faster.
From the time this person meets
the wrong person online,
to the time they become a cyber criminal,
commit their first cyber crime is
sometimes as often as twice or three times
as fast as the same cycle would take
if you were joining an organized crime
group or a terrorist organization.
And so it is truly, time is of the essence
for parents to be engaged with their kid,
to understand what's going on.
And sometimes to take, you know,
significant interventions into their life
to ensure that they're not committing
cyber crimes or being harmed online.
Talk about it. Yeah.
Harmed online is another thing.
I mean, you can also be extorted
for sharing pictures or anything.
We've seen those as
well. Yeah. So talk about it.
Ask for help if you don't know how
to handle it, with someone else.
There needs to be a dialogue.
That's what I hear you say.
There should definitely be
a dialogue with your kid,
with the other people in their lives.
So teachers are often the first responders
to see a change in a child's behavior
because they spend more waking hours with
our kids at certain points in their life than we do.
So it's understanding
those behavioral changes.
It's also educating our educators to those
warning signs of online harms of
being cyber bullied or cyber harassed
and stalked, because it's just as likely
that a young person might be being harmed
online as doing the harm.
And I think, you know, I would encourage
anyone who hasn't seen
the show Adolescence to watch,
because- Adolescence,
yeah. It's based on a true story. Right.
A couple of true stories.
And when you see how surprised the parents
are to learn that their young person
was capable of something
like this, a 14 year old boy, right?
It was ...
A very intense series,
I would recommend to everyone.
Indeed, yeah.
But as it lays... Be prepared.
Yeah, be very prepared for how
emotionally charged that show is.
But also just how incredibly
compelling and
and beautifully shot
it is, as well as a show.
Yeah, every episode is one single shot,
it's amazing what they pulled off.
It's a must see.
[ ]
And it's so compelling and so accurate
for both parents and teachers
to understand some of the reality of what
our young people are getting involved
in online, that it's being shown
in every secondary school
in the United Kingdom. For free.
It's being shown by the government
to really help educate and
highlight the nature of this.
And so parents need to be aware,
they need to understand some of
the changes that your kid may exhibit.
They might become more emotionally
withdrawn. They might look,
you know, for no apparent reason they
may appear depressed, they may begin
wearing more concealing clothing
because they could be harming themselves.
I mean, there's some really obvious warning signs
our parents need to look out for as well.
They can find some of those.
There was a public service announcement
that was put out by the FBI in the spring.
That also includes some of the warning signs to
be aware of for young people both being victimized
and doing the harm,
that parents should be aware of,
but it is just staying curious and staying
alert to make sure that you're you're
protecting your kid from the realities
of what it means to be active online.
Clear. Yeah. We're almost out of time.
But I have one question
on behalf of organizations.
What can organizations do to help?
I mean, maybe with The re_direct Project itself,
but I mean, there's also talent in there.
So maybe there's an angle there.
What would you advise a company
to do or any organization?
Yeah.
I think besides our code word for wire
transfers that we talked about earlier.
Yeah. There's some great things that
companies can do to get involved here.
As you've mentioned,
there's some great talent in here.
And we talk a lot about
the cybersecurity job gap.
There's you know,
so many unfilled cyber jobs
that these young people
are perfectly placed to fill.
They just need the encouragement
and the guidance to go
that path rather than the wrong.
So, companies can get involved
with organizations
like the Hacking Games, where we're
building a recruiting pipeline
for young people to find
those cybersecurity jobs.
You can partner with the Hacking Games to
better, y’know, be involved in recruiting this
you know, remarkable,
unconventional talent
that is growing up right before us
that needs to find these jobs
as outlets for that behavior
and that excitement
and that: how can I be
the first one to hack a car?
How can I help keep the schools
safe from cyber crime can grow up to,
how can I keep the company,
how can I keep a country
safe from cyber crime?
Companies can also please
reach out to The re_direct Project
where we're building
some of those resources.
We are looking to bring Hack Shield
to the United States, as I mentioned.
And there's plenty of room for companies to
get involved wherever they are in the world.
Hack Shield is now, I think in
ten countries and growing,
you know, every day.
So there's plenty of opportunities
for companies
to partner with some of the work
that's being done here
to help educate young people,
but also to help eventually hire
some of these young people
so that they can solve
what is the second or third
largest economy in the world, right?
Cybercrime.
And we are going to need more
and more defenders for this every year
to help solve the cybercrime crisis.
Well, thank you very much for putting the ethical
in ethical hacker at a very young age.
Yeah. That's the plan, right?
Let's give kids the opportunity
to see themselves
as a cyber hero and
not as a cyber attacker.
So I really appreciate...
Well, thank you very much.
Thank you so much for the opportunity.
It was great to be here.
Well, thank you very much for all the insights
you've given us and all the pointers
that we can actually start to
work with from tomorrow.
Thank you so much.
William McKeen.
Thank you so much. And for our viewers,
thank you very much for tuning in.
If you like this episode,
please press the like button.
There's also a subscribe button,
which means that the next episode
is also in your inbox.
You can also ring the bell
and that will mean
you even get a notification
if you don't want to miss any episodes.
Thank you for tuning in this time.
Hope to see you next time. Goodbye!
Thank you for listening to Threat Talks,
a podcast by ON2IT cybersecurity and AMS-IX.
Did you like what you heard?
Do you want to learn more?
Follow Threat Talks to stay up to date
on the topic of cybersecurity.