Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/13/2019
04:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Autism, Cybercrime, and Security's Skill Struggle

People on the autism spectrum often possess traits that could help them succeed in cybersecurity - providing they don't fall into cybercrime first.

Many cybercriminals aren't diagnosed with autism until they enter the criminal justice system – and the same traits that lead them toward digital crime could potentially help them fight it.

Rebecca Ledingham, vice president of cybersecurity at Mastercard, spotted the trend earlier in her career as a cyber agent for the UK's National Crime Agency. "They weren't the kinds of offenders I was used to dealing with in drugs and sex crimes," she said in an interview with Dark Reading. Their social behavior, she said, was different from what she'd seen in other areas of crime.

Often, she continued, cybercriminals are first diagnosed as being on the autism spectrum during the criminal justice process. Later in her career, as a cyber agent for INTERPOL's Global Complex for Innovation (IGCI), she realized the issue was broader. Ledingham's work with global agencies revealed outside of cybercrime, no other offense came with a foundational condition. "There's no other organic set of offenders that may be predisposed to cybercrime due to the nuances of their disorder," she said.

Autism presents itself at the age of two or three, and more than 17 million people worldwide are diagnosed, said Ledingham in an RSA Conference talk. Their curiosity and eagerness to solve problems, among other traits, can lead them into dangerous areas, especially online.

Traits on the autism spectrum that lead folks into cybercrime could work just as well in a security operations center – but it's essential to understand the nuances of these behaviors because no two people with autism have the same set of characteristics. As Lysa Myers, ESET security researcher, put it: "If you've met one autistic person, you've met one autistic person."

So which traits lend themselves to careers in tech and, specifically, cybersecurity?

"Oftentimes people with autism are very good with math and science," said Ledingham in her talk. IT is logical and syntax-guided; there is usually one way of doing things. Many people with autism are pattern-thinkers, she added. "If you look at a piece of code and it's missing a semicolon, you would notice because the pattern doesn't fit," she said.

Many people with autism are "hyperlexic," an autism-related term for those who are intensely interested in letters and numbers and who possess an advanced reading ability. For them, it would be simple to switch between English and coding, as they could easily understand both.

A photographic memory is another trait seen in people with autism, Myers said. It's another quality that could, for example, help them think of a network architecture and visualize security holes.

"People with autism are very focused on problem solving," Ledingham said. "You have a real difficult problem … they will focus on it until it's solved." They're detail-oriented, rule-oriented, and they have the tenacity to stick with complex issues other people may abandon.

So Why Turn to Cybercrime?
"Our scientific and digital world has been built on the output of the autistic mind," Ledingham said. Still, there are a number of complicating factors that make it more likely that people with autism will fall into cybercrime rather than start a security career.

For starters, many struggle with social anxiety. They avoid eye contact and/or suffer from depression, social isolation, and a high need for control. Most people Ledingham worked with tried to get the academic credentials to legitimize themselves but failed to succeed in college – an atmosphere characterized by social interactions and a lack of routine or control.

"For some people, college can be really overwhelming," Myers said. "They can have poor grades and not make it through." As a result, they lack the degree needed for most security jobs.

But on the Internet, they could be who they want to be. People who are bullied in real life can have a plethora of friends online, Ledingham added in her talk. When she talks to cybercriminals who have later been diagnosed, she has found gaming is the common thread that lures them into crime. These days, the gateway is Fortnite: Kids as young as 14 are part of a hacking program built around the game.

"The police are not interested when your Fortnite account or World of Warcraft account gets hacked," she said. "But if kids are cutting their teeth on it, there's no legal consequences."

We have to think of crime profiling differently in cybersecurity, Ledingham emphasized. People with autism often understand right and wrong, but they often don't understand actions and consequences.

Myers is cautious to create a broad link between cybercrime and autism, which covers a broad spectrum of people and capabilities. "While I don't doubt some autists have engaged in cybercrime, I am not sure how large the problem is compared with the neurotypical population," she explained. "What I do know is that we desperately need people with a variety of different abilities and thought processes to close the cybersecurity skills gap."

What Businesses Should Know
Organizations could benefit by welcoming employees with autism, but many don't know how. People with autism often don't reflect personality in interviews and struggle with behavioral-based questions. You can't ask them to imagine how they might act in a certain scenario, for example. Questions should be specific, literal, and direct. Deadlines should be made clear.

"The more you spell things out, the easier it is," Myers said. During the hiring process, be specific about each step and expected date of each one. When onboarding new employees, outline what is expected within the first three months and continue to work with them to set goals, schedule deliverable dates, and notify them of any changes. "Be clear about what steps you're going to have, what's expected of them, and what's expected of you," she explained.

It helps to approach the hiring process in a project-oriented way, Ledingham said. Give them a project and evaluate their performance, then hire them based on the output of that project. She pointed to Microsoft as an example of a company with a program designed for workers with autism.

"They now have one of the most comprehensive hiring programs where autism is concerned," she noted.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Human Nature vs. AI: A False Dichotomy?
John McClurg, Sr. VP & CISO, BlackBerry,  11/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15073
PUBLISHED: 2019-11-20
An Open Redirect vulnerability for all browsers in MAIL2000 through version 6.0 and 7.0, which will redirect to a malicious site without authentication. This vulnerability affects many mail system of governments, organizations, companies and universities.
CVE-2019-15072
PUBLISHED: 2019-11-20
The login feature in "/cgi-bin/portal" in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via any parameter. This vulnerability affects many mail system of governments, organizations, companies and universities.
CVE-2019-15071
PUBLISHED: 2019-11-20
The "/cgi-bin/go" page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail syste...
CVE-2019-6176
PUBLISHED: 2019-11-20
A potential vulnerability reported in ThinkPad USB-C Dock Firmware version 3.7.2 may allow a denial of service.
CVE-2019-6184
PUBLISHED: 2019-11-20
A potential vulnerability in the discontinued Customer Engagement Service (CCSDK) software version 2.0.21.1 may allow local privilege escalation.