Show Hide image

Autistic hackers: the teenagers who “get carried away”

Several of the UK's highest-profile hackers have been young autistic men, at risk of extradition and life sentences. Barrister Ben Cooper discusses whether the justice system needs to adapt to these cases.

In early 2002, a young man sat at a computer in his girlfriend’s aunt’s house in north London. The internet connection – using a 56k dial-up modem – was frustratingly slow, but on the screen in front of him, an image began to form. Years later, he would describe seeing “a silvery, cigar-shaped object, with geodesic spheres on either side... the picture was taken presumably by a satellite looking down on it. The object didn't look man-made or anything like what we have created.” As he tried to make sense of the image, however, “someone at NASA discovered what I was doing, and I was disconnected”.

Weeks later, police officers knocked on the young man’s door. His computer was seized and when the officers returned a few months after that, they were joined by colleagues from the National Hi-Tech Crime Unit. By November he had been accused of “the biggest military computer hack of all time”, and 18 months later he was facing extradition to the United States, where he faced a trial and up to 70 years in prison.

It took ten years for Gary McKinnon to emerge from the storm caused by his quest for the information he was convinced the US government was hiding on “UFO-related technologies” such as antigravity and free energy. The barrister who defended him from extradition, Ben Cooper, from Doughty St Chambers, tells me McKinnon “didn’t do anything” for a decade. “During that period he didn’t really work at all, he was very depressed. Life wasn’t going anywhere; he was just waiting.”

McKinnon chose a poor time to highlight the US military’s incompetence. Using basic techniques – McKinnon has said that the only “hacking” required to enter the military computer network was a basic PERL script that searched for passwords that had been left default or blank – he was able to trawl military computer networks, occasionally leaving messages that said things like “your security is crap”, and to vandalise key systems for months when, in the wake of the September 11 attacks, security in the US was ostensibly more elevated than at any time in the country’s history. The responding threat of an effectively full-life imprisonment, without any chance of repatriation, was seen by some as a way of forcing him to co-operate with the extradition and accept a much shorter sentence of three to four years. But for McKinnon, who is severely affected by both Asperger’s Syndrome and depression, either option represented a death sentence.

McKinnon’s extradition came perilously close to being realised, after he lost appeals in the House of Lords, the European Court of Human Rights and the High Court. Cooper then brought a judicial review to the High Court, where permission was granted to challenge Theresa May’s decision that extradition would not violate his human rights. May eventually accepted that extradition would violate his rights under Article 3 of the ECHR, because of his very high risk of suicide.

Fifteen years after it originally began, the McKinnon episode is being played out again in the case of Lauri Love. Love, a British-Finnish hacker, has been accused of stealing data from the US military and NASA. Like McKinnon, he is threatened with extradition and effectively indefinite incarceration (up to 99 years) in the American prison system and huge fines. Like McKinnon, he suffers from Asperger’s Syndrome and depression.

These two cases are far from the only two Ben Cooper has seen. In 2013, Ryan Cleary was sentenced to 32 months in prison, one of the most severe sentences issued from a British court for hacking. Cleary, who was 19 at the time, was diagnosed with Asperger’s syndrome and agoraphobia. In the same year, an anti-junkmail service called Spamhaus was hit by the biggest Distributed Denial of Service (DDoS) attack ever seen. The attack flooded Spamhaus with so much data from corrupted computers that large parts of the global internet slowed down. The attacker was eventually identified as Seth Nolan-McDonagh, a British 16-year-old. Nolan-McDonagh had suffered from mental illness, dropped out of school and withdrawn from the outside world. He first became involved in online criminality when he was 13.   

Earlier this year, 20-year-old Adam Mudd was jailed for two years for creating and selling Titanium Stresser, a tool that was used by himself and others – it had 112,000 registered users – to perform more than 1.7m attacks on websites and internet services. Like McKinnon, Love and Cleary, he is autistic. Ben Cooper agrees that he fits the autistic hacker personality type. “Generally they’re not really thinking consequentially. They get carried away, in the middle of the night, on their computers. Most of them are extremely lonely guys who have no friends, maybe kicked out of school, some of them have mental health problems and are very much on their own, and so this is their one opportunity to have a community.”

In daily life, an autistic person’s obsession with organisation and repeating patterns can be debilitating, but in computer science it can be a advantage. Alongside the opportunity for contact that’s missing in their daily lives, the repetitive logic challenges of programming and systems administration offer these young autistic men a type of work at which they can excel.

In the case of Adam Mudd, the judge in sentencing stated he was satisfied that, at 16 years old, Mudd “knew full well and understood completely this was not a game for fun” when he created his malware. But there is little evidence that the considerable sum of money Mudd made from selling Titanium Stresser – police seized over £386,000 in US dollars and Bitcoins – was to the teenage hacker much more than a high score in a game whose consequences he did not fully appreciate. This is evidenced, says Cooper, by the fact that Mudd didn’t use the money to buy anything. “The judge accepted he wasn’t financially motivated, he didn’t have a lavish lifestyle.” The only money Mudd drew from his account, says Cooper, was used to pay tax on some earnings he’d made from another, perfectly legitimate, online business.

Once caught, Mudd again followed a similar pattern to other autistic hackers whom Ben Cooper has represented or researched. “They generally have stopped everything. Adam Mudd stayed offline for two years. (Once) their parents have found out about it, they’re back on their studies. They’re kids who do listen, when told.”

In sentencing Adam Mudd to two years in prison the judge, Michael Topolski QC, described the power of teenage hackers to damage systems around the world as “terrifying”. In refusing to suspend the custodial sentence he added that it must contain a “real element of deterrence”, to persuade other would-be hackers that prison time could accompany their actions. This is accepted as a principle in sentencing many kind of crime - but is an autistic hacker likely to consider it? The National Autistic Society lists as one of the key traits of an autistic disorder that the sufferer may have difficulty “predicting the consequences of an action” and that they may be “less able to see the whole picture”, preferring to focus very closely on details. “What evidence is there,” asks Ben Cooper, “that people with autism actually think ‘I mustn’t do this’? They aren’t generally on the same wavelength as the rest of us, so there’s no evidence that these deterrent sentences actually achieve anything.”

“When they’re that young,” he continues, “it’s questionable whether it’s right in principle to pass a deterrent sentence, when actually the focus is normally on their welfare and rehabilitation, because of their age.”

It is easy to forget that the internet itself is barely older than these teenage hackers, and its ethics may be even less developed. For gifted, socially abnormal young men with stunted moral faculties, the web’s darker corners are instantly accessible. Both Ryan Cleary and Seth Nolan-McDonagh were found to have hundreds of indecent images of children on their computers, and Cleary has been placed on the sex offenders register for five years. Junaid Hussein, another teenage hacker, was jailed for six months in 2012 after purportedly gaining access to the private data of individuals including Tony Blair and Nicholas Sarkozy. “The judge accepted that he wasn’t a terrorist or a jihadi,” remembers Cooper. “There was no prosecution based on that suggestion.” But, after about five weeks in Feltham prison, “he came out and joined ISIS. He went to Syria. He’d just done his A-levels, he had a place at university and he had good parents.” It is not clear whether Hussein was radicalised before or after his punishment, but he quickly became a key figure in the terrorist network. “He was making a lot of money for ISIS, through cyber fraud.” As a valuable fundraiser and propagandist, Hussein became a key target. He was killed in a drone strike in 2015, aged 21.

It is the shameful truth of the digital age that a technology that has revolutionised many areas of commerce and communication has, at the same time, been instrumental in the spread of child abuse, terrorism, disinformation and hatred. In dealing with the autistic-hacker personality type, internet safety and cyber security become the same thing – guiding and protecting these people removes a cohort of gifted hackers from the internet. With the right guidance, it may be that the best kind of rehabilitation for this kind of young, socially or developmentally impaired hacker is found in very similar activity to that which first got them into trouble – but on the right side of the law.

There are plenty of success stories of hackers who turn from poacher to gamekeeper; among the best security researchers are former prisoners. Cooper has seen signs of this already –Adam Mudd was offered a job by a cyber security firm in Newcastle before he was sentenced, while Seth Nolan-McDonagh, having been sentenced to community service, is to proceed with his A-levels. “There have been moves towards exploring how these kids could do cyber security work as part of a community sentence or probation, but nothing has yet been formalised, which is unfortunate because it would give the best form of rehabilitation.”

Will Dunn is the New Statesman's Special Projects Editor. 

Show Hide image

Investing in a secure future

Increased training and investment in cyber security infrastructure are essential in the digital age.

It is easy to underestimate how crucial the internet is to our everyday lives. It has become an essential tool in the way we communicate with others and conduct business both at home and abroad. More than 1.6m people work in the digital sector or in digital tech roles in the United Kingdom and the internet continues to provide individuals and businesses with huge opportunities.

However, we know that criminals seek to exploit the many benefits of the internet for their own personal gain, often at great expense to others. The WannaCry ransomware attack, which hit the NHS as well as other organisations, highlights the seriousness of the threat and reinforces the need to properly protect ourselves online.

In the recent Cyber Security Breaches Survey 2017, just under half (46 per cent) of all businesses identified at least one breach or attack in the last year. Although it is difficult to put an exact figure on how much this cost the UK economy, it is likely to be in the billions.

We are also all too aware of attacks by hostile state actors who look to exploit the UK through intellectual property theft, in order to further their own interests and prosperity. We take these attempts to disrupt our national security very seriously.

That is why this the government set up the National Cyber Security Centre (NCSC), which provides cyber security at a national level. In its first year of being operational, the NCSC responded to 590 significant cyber incidents, more than 30 of which were sufficiently serious to require a cross-government response.

It is not just large organisations and our national infrastructure that are targeted by online criminals; individuals also face the daily threat of being scammed in their own homes. It is now the case that British citizens are 20 times more likely to be defrauded at their computer than mugged in the street.

It is a threat we all face. I strongly believe that we – individuals, businesses and the government – must play our own part to mitigate the risk and ensure that the internet is a safe and secure space for everyone. The government has legislated within the Serious Crime Act 2015 to create a new offence that applies where an unauthorised act in relation to a computer results in serious damage to the economy, the environment, national security or human welfare, or a risk of such damage occurring.

Legislating against online criminality goes some way to tackling the problem; however, close collaboration between the government, business and international partners is essential in combating the increasingly sophisticated attacks that the UK faces.

We work closely with the NCSC, which acts as a bridge between industry and government, providing a unified source of advice and the management of cyber-related incidents. It is at the heart of the government’s 2016 National Cyber Security Strategy, which is supported by £1.9bn of transformational investment to 2021.

Our law enforcement agencies across England and Wales also play a vital role in disrupting the activities of cyber criminals and bringing them to justice. They now operate as a single networked resource with the National Crime Agency (NCA) and Regional Cyber Crime Units using shared intelligence and capabilities. The NCA also has a dedicated Dark Web Intelligence Unit which targets those criminals who exploit hidden areas of the internet.

But we also want people to take their own preventative measures, so that they don’t become a target by criminals operating in the cyber space. We are running a series of campaigns and programmes which aim to encourage individuals and businesses to adopt more secure online behaviours.

Cyber Aware works with over 320 public and private sector partner organisations to encourage us all to take simple steps to protect ourselves online including using a strong, separate password for our email accounts and installing the latest software and app updates on our electronic devices.

The NCSC has also recently launched expert guidance on how small businesses can easily avoid common online breaches and attacks. Should organisations seek to improve their cyber security further, they can get certification through the Cyber Essentials Scheme.

To further support the efforts of SMEs in improving their cyber security, regional cyber crime prevention coordinators engage with businesses and members of the public to provide customised cyber security advice based on the latest technical guidance from the NCSC.

We must also look to the future – we now have a whole generation that have grown up immersed in tech. It is hugely important that we harness their talents and put them to good use rather than letting them wander down a path towards criminal online activities.

We must train and engage with the next generation of cyber security experts and is why the NCSC is taking a leading role in promoting a culture where science and technology subjects can flourish within the education system. Their CyberFirst programme identifies and nurtures young talent through a series of summer workshops and competitions. In addition, their CyberUK 2018 programme focuses on encouraging more women to enter into the technology industry, a sector that is largely seen as male-dominated.

There is a great effort across government and law enforcement to pursue online criminals, prevent
those that are headed on a path towards criminal activity, protect the public and prepare for the many threats we face online. We will continue to invest in law enforcement capabilities at a national, regional and local level to ensure agencies have the capacity to deal with the increasing threat from cyber crime.

However, this is not a threat that we can tackle alone. It is everybody’s responsibility, from top to bottom, to follow the guidance provided and increase their awareness of cyber security in order to create a safe space to communicate and conduct business online.