Autistic hackers: the teenagers who “get carried away”

Several of the UK's highest-profile hackers have been young autistic men, at risk of extradition and life sentences. Barrister Ben Cooper discusses whether the justice system needs to adapt to these cases.

Sign Up

Get the New Statesman's Morning Call email.

In early 2002, a young man sat at a computer in his girlfriend’s aunt’s house in north London. The internet connection – using a 56k dial-up modem – was frustratingly slow, but on the screen in front of him, an image began to form. Years later, he would describe seeing “a silvery, cigar-shaped object, with geodesic spheres on either side... the picture was taken presumably by a satellite looking down on it. The object didn't look man-made or anything like what we have created.” As he tried to make sense of the image, however, “someone at NASA discovered what I was doing, and I was disconnected”.

Weeks later, police officers knocked on the young man’s door. His computer was seized and when the officers returned a few months after that, they were joined by colleagues from the National Hi-Tech Crime Unit. By November he had been accused of “the biggest military computer hack of all time”, and 18 months later he was facing extradition to the United States, where he faced a trial and up to 70 years in prison.

It took ten years for Gary McKinnon to emerge from the storm caused by his quest for the information he was convinced the US government was hiding on “UFO-related technologies” such as antigravity and free energy. The barrister who defended him from extradition, Ben Cooper, from Doughty St Chambers, tells me McKinnon “didn’t do anything” for a decade. “During that period he didn’t really work at all, he was very depressed. Life wasn’t going anywhere; he was just waiting.”

McKinnon chose a poor time to highlight the US military’s incompetence. Using basic techniques – McKinnon has said that the only “hacking” required to enter the military computer network was a basic PERL script that searched for passwords that had been left default or blank – he was able to trawl military computer networks, occasionally leaving messages that said things like “your security is crap”, and to vandalise key systems for months when, in the wake of the September 11 attacks, security in the US was ostensibly more elevated than at any time in the country’s history. The responding threat of an effectively full-life imprisonment, without any chance of repatriation, was seen by some as a way of forcing him to co-operate with the extradition and accept a much shorter sentence of three to four years. But for McKinnon, who is severely affected by both Asperger’s Syndrome and depression, either option represented a death sentence.

McKinnon’s extradition came perilously close to being realised, after he lost appeals in the House of Lords, the European Court of Human Rights and the High Court. Cooper then brought a judicial review to the High Court, where permission was granted to challenge Theresa May’s decision that extradition would not violate his human rights. May eventually accepted that extradition would violate his rights under Article 3 of the ECHR, because of his very high risk of suicide.

Fifteen years after it originally began, the McKinnon episode is being played out again in the case of Lauri Love. Love, a British-Finnish hacker, has been accused of stealing data from the US military and NASA. Like McKinnon, he is threatened with extradition and effectively indefinite incarceration (up to 99 years) in the American prison system and huge fines. Like McKinnon, he suffers from Asperger’s Syndrome and depression.

These two cases are far from the only two Ben Cooper has seen. In 2013, Ryan Cleary was sentenced to 32 months in prison, one of the most severe sentences issued from a British court for hacking. Cleary, who was 19 at the time, was diagnosed with Asperger’s syndrome and agoraphobia. In the same year, an anti-junkmail service called Spamhaus was hit by the biggest Distributed Denial of Service (DDoS) attack ever seen. The attack flooded Spamhaus with so much data from corrupted computers that large parts of the global internet slowed down. The attacker was eventually identified as Seth Nolan-McDonagh, a British 16-year-old. Nolan-McDonagh had suffered from mental illness, dropped out of school and withdrawn from the outside world. He first became involved in online criminality when he was 13.   

Earlier this year, 20-year-old Adam Mudd was jailed for two years for creating and selling Titanium Stresser, a tool that was used by himself and others – it had 112,000 registered users – to perform more than 1.7m attacks on websites and internet services. Like McKinnon, Love and Cleary, he is autistic. Ben Cooper agrees that he fits the autistic hacker personality type. “Generally they’re not really thinking consequentially. They get carried away, in the middle of the night, on their computers. Most of them are extremely lonely guys who have no friends, maybe kicked out of school, some of them have mental health problems and are very much on their own, and so this is their one opportunity to have a community.”

In daily life, an autistic person’s obsession with organisation and repeating patterns can be debilitating, but in computer science it can be a advantage. Alongside the opportunity for contact that’s missing in their daily lives, the repetitive logic challenges of programming and systems administration offer these young autistic men a type of work at which they can excel.

In the case of Adam Mudd, the judge in sentencing stated he was satisfied that, at 16 years old, Mudd “knew full well and understood completely this was not a game for fun” when he created his malware. But there is little evidence that the considerable sum of money Mudd made from selling Titanium Stresser – police seized over £386,000 in US dollars and Bitcoins – was to the teenage hacker much more than a high score in a game whose consequences he did not fully appreciate. This is evidenced, says Cooper, by the fact that Mudd didn’t use the money to buy anything. “The judge accepted he wasn’t financially motivated, he didn’t have a lavish lifestyle.” The only money Mudd drew from his account, says Cooper, was used to pay tax on some earnings he’d made from another, perfectly legitimate, online business.

Once caught, Mudd again followed a similar pattern to other autistic hackers whom Ben Cooper has represented or researched. “They generally have stopped everything. Adam Mudd stayed offline for two years. (Once) their parents have found out about it, they’re back on their studies. They’re kids who do listen, when told.”

In sentencing Adam Mudd to two years in prison the judge, Michael Topolski QC, described the power of teenage hackers to damage systems around the world as “terrifying”. In refusing to suspend the custodial sentence he added that it must contain a “real element of deterrence”, to persuade other would-be hackers that prison time could accompany their actions. This is accepted as a principle in sentencing many kind of crime - but is an autistic hacker likely to consider it? The National Autistic Society lists as one of the key traits of an autistic disorder that the sufferer may have difficulty “predicting the consequences of an action” and that they may be “less able to see the whole picture”, preferring to focus very closely on details. “What evidence is there,” asks Ben Cooper, “that people with autism actually think ‘I mustn’t do this’? They aren’t generally on the same wavelength as the rest of us, so there’s no evidence that these deterrent sentences actually achieve anything.”

“When they’re that young,” he continues, “it’s questionable whether it’s right in principle to pass a deterrent sentence, when actually the focus is normally on their welfare and rehabilitation, because of their age.”

It is easy to forget that the internet itself is barely older than these teenage hackers, and its ethics may be even less developed. For gifted, socially abnormal young men with stunted moral faculties, the web’s darker corners are instantly accessible. Both Ryan Cleary and Seth Nolan-McDonagh were found to have hundreds of indecent images of children on their computers, and Cleary has been placed on the sex offenders register for five years. Junaid Hussein, another teenage hacker, was jailed for six months in 2012 after purportedly gaining access to the private data of individuals including Tony Blair and Nicholas Sarkozy. “The judge accepted that he wasn’t a terrorist or a jihadi,” remembers Cooper. “There was no prosecution based on that suggestion.” But, after about five weeks in Feltham prison, “he came out and joined ISIS. He went to Syria. He’d just done his A-levels, he had a place at university and he had good parents.” It is not clear whether Hussein was radicalised before or after his punishment, but he quickly became a key figure in the terrorist network. “He was making a lot of money for ISIS, through cyber fraud.” As a valuable fundraiser and propagandist, Hussein became a key target. He was killed in a drone strike in 2015, aged 21.

It is the shameful truth of the digital age that a technology that has revolutionised many areas of commerce and communication has, at the same time, been instrumental in the spread of child abuse, terrorism, disinformation and hatred. In dealing with the autistic-hacker personality type, internet safety and cyber security become the same thing – guiding and protecting these people removes a cohort of gifted hackers from the internet. With the right guidance, it may be that the best kind of rehabilitation for this kind of young, socially or developmentally impaired hacker is found in very similar activity to that which first got them into trouble – but on the right side of the law.

There are plenty of success stories of hackers who turn from poacher to gamekeeper; among the best security researchers are former prisoners. Cooper has seen signs of this already –Adam Mudd was offered a job by a cyber security firm in Newcastle before he was sentenced, while Seth Nolan-McDonagh, having been sentenced to community service, is to proceed with his A-levels. “There have been moves towards exploring how these kids could do cyber security work as part of a community sentence or probation, but nothing has yet been formalised, which is unfortunate because it would give the best form of rehabilitation.”

Will Dunn edits the New Statesman's regular policy supplement, Spotlight.