Many cybercriminals aren't diagnosed with autism until they enter the criminal justice system – and the same traits that lead them toward digital crime could potentially help them fight it.
Rebecca Ledingham, vice president of cybersecurity at Mastercard, spotted the trend earlier in her career as a cyber agent for the UK's National Crime Agency. "They weren't the kinds of offenders I was used to dealing with in drugs and sex crimes," she said in an interview with Dark Reading. Their social behavior, she said, was different from what she'd seen in other areas of crime.
Often, she continued, cybercriminals are first diagnosed as being on the autism spectrum during the criminal justice process. Later in her career, as a cyber agent for INTERPOL's Global Complex for Innovation (IGCI), she realized the issue was broader. Ledingham's work with global agencies revealed outside of cybercrime, no other offense came with a foundational condition. "There's no other organic set of offenders that may be predisposed to cybercrime due to the nuances of their disorder," she said.
Autism presents itself at the age of two or three, and more than 17 million people worldwide are diagnosed, said Ledingham in an RSA Conference talk. Their curiosity and eagerness to solve problems, among other traits, can lead them into dangerous areas, especially online.
Traits on the autism spectrum that lead folks into cybercrime could work just as well in a security operations center – but it's essential to understand the nuances of these behaviors because no two people with autism have the same set of characteristics. As Lysa Myers, ESET security researcher, put it: "If you've met one autistic person, you've met one autistic person."
So which traits lend themselves to careers in tech and, specifically, cybersecurity?
"Oftentimes people with autism are very good with math and science," said Ledingham in her talk. IT is logical and syntax-guided; there is usually one way of doing things. Many people with autism are pattern-thinkers, she added. "If you look at a piece of code and it's missing a semicolon, you would notice because the pattern doesn't fit," she said.
Many people with autism are "hyperlexic," an autism-related term for those who are intensely interested in letters and numbers and who possess an advanced reading ability. For them, it would be simple to switch between English and coding, as they could easily understand both.
A photographic memory is another trait seen in people with autism, Myers said. It's another quality that could, for example, help them think of a network architecture and visualize security holes.
"People with autism are very focused on problem solving," Ledingham said. "You have a real difficult problem … they will focus on it until it's solved." They're detail-oriented, rule-oriented, and they have the tenacity to stick with complex issues other people may abandon.
So Why Turn to Cybercrime?
"Our scientific and digital world has been built on the output of the autistic mind," Ledingham said. Still, there are a number of complicating factors that make it more likely that people with autism will fall into cybercrime rather than start a security career.
For starters, many struggle with social anxiety. They avoid eye contact and/or suffer from depression, social isolation, and a high need for control. Most people Ledingham worked with tried to get the academic credentials to legitimize themselves but failed to succeed in college – an atmosphere characterized by social interactions and a lack of routine or control.
"For some people, college can be really overwhelming," Myers said. "They can have poor grades and not make it through." As a result, they lack the degree needed for most security jobs.
But on the Internet, they could be who they want to be. People who are bullied in real life can have a plethora of friends online, Ledingham added in her talk. When she talks to cybercriminals who have later been diagnosed, she has found gaming is the common thread that lures them into crime. These days, the gateway is Fortnite: Kids as young as 14 are part of a hacking program built around the game.
"The police are not interested when your Fortnite account or World of Warcraft account gets hacked," she said. "But if kids are cutting their teeth on it, there's no legal consequences."
We have to think of crime profiling differently in cybersecurity, Ledingham emphasized. People with autism often understand right and wrong, but they often don't understand actions and consequences.
Myers is cautious to create a broad link between cybercrime and autism, which covers a broad spectrum of people and capabilities. "While I don't doubt some autists have engaged in cybercrime, I am not sure how large the problem is compared with the neurotypical population," she explained. "What I do know is that we desperately need people with a variety of different abilities and thought processes to close the cybersecurity skills gap."
What Businesses Should Know
Organizations could benefit by welcoming employees with autism, but many don't know how. People with autism often don't reflect personality in interviews and struggle with behavioral-based questions. You can't ask them to imagine how they might act in a certain scenario, for example. Questions should be specific, literal, and direct. Deadlines should be made clear.
"The more you spell things out, the easier it is," Myers said. During the hiring process, be specific about each step and expected date of each one. When onboarding new employees, outline what is expected within the first three months and continue to work with them to set goals, schedule deliverable dates, and notify them of any changes. "Be clear about what steps you're going to have, what's expected of them, and what's expected of you," she explained.
It helps to approach the hiring process in a project-oriented way, Ledingham said. Give them a project and evaluate their performance, then hire them based on the output of that project. She pointed to Microsoft as an example of a company with a program designed for workers with autism.
"They now have one of the most comprehensive hiring programs where autism is concerned," she noted.
- Web Apps Are Becoming Less Secure
- How the Best DevSecOps Teams Make Risk Visible to Developers
- It Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job
- 3 Places Security Teams Are Wasting Time
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.