Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

04:15 PM
Connect Directly

Autism, Cybercrime, and Security's Skill Struggle

People on the autism spectrum often possess traits that could help them succeed in cybersecurity - providing they don't fall into cybercrime first.

Many cybercriminals aren't diagnosed with autism until they enter the criminal justice system – and the same traits that lead them toward digital crime could potentially help them fight it.

Rebecca Ledingham, vice president of cybersecurity at Mastercard, spotted the trend earlier in her career as a cyber agent for the UK's National Crime Agency. "They weren't the kinds of offenders I was used to dealing with in drugs and sex crimes," she said in an interview with Dark Reading. Their social behavior, she said, was different from what she'd seen in other areas of crime.

Often, she continued, cybercriminals are first diagnosed as being on the autism spectrum during the criminal justice process. Later in her career, as a cyber agent for INTERPOL's Global Complex for Innovation (IGCI), she realized the issue was broader. Ledingham's work with global agencies revealed outside of cybercrime, no other offense came with a foundational condition. "There's no other organic set of offenders that may be predisposed to cybercrime due to the nuances of their disorder," she said.

Autism presents itself at the age of two or three, and more than 17 million people worldwide are diagnosed, said Ledingham in an RSA Conference talk. Their curiosity and eagerness to solve problems, among other traits, can lead them into dangerous areas, especially online.

Traits on the autism spectrum that lead folks into cybercrime could work just as well in a security operations center – but it's essential to understand the nuances of these behaviors because no two people with autism have the same set of characteristics. As Lysa Myers, ESET security researcher, put it: "If you've met one autistic person, you've met one autistic person."

So which traits lend themselves to careers in tech and, specifically, cybersecurity?

"Oftentimes people with autism are very good with math and science," said Ledingham in her talk. IT is logical and syntax-guided; there is usually one way of doing things. Many people with autism are pattern-thinkers, she added. "If you look at a piece of code and it's missing a semicolon, you would notice because the pattern doesn't fit," she said.

Many people with autism are "hyperlexic," an autism-related term for those who are intensely interested in letters and numbers and who possess an advanced reading ability. For them, it would be simple to switch between English and coding, as they could easily understand both.

A photographic memory is another trait seen in people with autism, Myers said. It's another quality that could, for example, help them think of a network architecture and visualize security holes.

"People with autism are very focused on problem solving," Ledingham said. "You have a real difficult problem … they will focus on it until it's solved." They're detail-oriented, rule-oriented, and they have the tenacity to stick with complex issues other people may abandon.

So Why Turn to Cybercrime?
"Our scientific and digital world has been built on the output of the autistic mind," Ledingham said. Still, there are a number of complicating factors that make it more likely that people with autism will fall into cybercrime rather than start a security career.

For starters, many struggle with social anxiety. They avoid eye contact and/or suffer from depression, social isolation, and a high need for control. Most people Ledingham worked with tried to get the academic credentials to legitimize themselves but failed to succeed in college – an atmosphere characterized by social interactions and a lack of routine or control.

"For some people, college can be really overwhelming," Myers said. "They can have poor grades and not make it through." As a result, they lack the degree needed for most security jobs.

But on the Internet, they could be who they want to be. People who are bullied in real life can have a plethora of friends online, Ledingham added in her talk. When she talks to cybercriminals who have later been diagnosed, she has found gaming is the common thread that lures them into crime. These days, the gateway is Fortnite: Kids as young as 14 are part of a hacking program built around the game.

"The police are not interested when your Fortnite account or World of Warcraft account gets hacked," she said. "But if kids are cutting their teeth on it, there's no legal consequences."

We have to think of crime profiling differently in cybersecurity, Ledingham emphasized. People with autism often understand right and wrong, but they often don't understand actions and consequences.

Myers is cautious to create a broad link between cybercrime and autism, which covers a broad spectrum of people and capabilities. "While I don't doubt some autists have engaged in cybercrime, I am not sure how large the problem is compared with the neurotypical population," she explained. "What I do know is that we desperately need people with a variety of different abilities and thought processes to close the cybersecurity skills gap."

What Businesses Should Know
Organizations could benefit by welcoming employees with autism, but many don't know how. People with autism often don't reflect personality in interviews and struggle with behavioral-based questions. You can't ask them to imagine how they might act in a certain scenario, for example. Questions should be specific, literal, and direct. Deadlines should be made clear.

"The more you spell things out, the easier it is," Myers said. During the hiring process, be specific about each step and expected date of each one. When onboarding new employees, outline what is expected within the first three months and continue to work with them to set goals, schedule deliverable dates, and notify them of any changes. "Be clear about what steps you're going to have, what's expected of them, and what's expected of you," she explained.

It helps to approach the hiring process in a project-oriented way, Ledingham said. Give them a project and evaluate their performance, then hire them based on the output of that project. She pointed to Microsoft as an example of a company with a program designed for workers with autism.

"They now have one of the most comprehensive hiring programs where autism is concerned," she noted.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-24
The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...