Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/13/2019
04:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Autism, Cybercrime, and Security's Skill Struggle

People on the autism spectrum often possess traits that could help them succeed in cybersecurity - providing they don't fall into cybercrime first.

Many cybercriminals aren't diagnosed with autism until they enter the criminal justice system – and the same traits that lead them toward digital crime could potentially help them fight it.

Rebecca Ledingham, vice president of cybersecurity at Mastercard, spotted the trend earlier in her career as a cyber agent for the UK's National Crime Agency. "They weren't the kinds of offenders I was used to dealing with in drugs and sex crimes," she said in an interview with Dark Reading. Their social behavior, she said, was different from what she'd seen in other areas of crime.

Often, she continued, cybercriminals are first diagnosed as being on the autism spectrum during the criminal justice process. Later in her career, as a cyber agent for INTERPOL's Global Complex for Innovation (IGCI), she realized the issue was broader. Ledingham's work with global agencies revealed outside of cybercrime, no other offense came with a foundational condition. "There's no other organic set of offenders that may be predisposed to cybercrime due to the nuances of their disorder," she said.

Autism presents itself at the age of two or three, and more than 17 million people worldwide are diagnosed, said Ledingham in an RSA Conference talk. Their curiosity and eagerness to solve problems, among other traits, can lead them into dangerous areas, especially online.

Traits on the autism spectrum that lead folks into cybercrime could work just as well in a security operations center – but it's essential to understand the nuances of these behaviors because no two people with autism have the same set of characteristics. As Lysa Myers, ESET security researcher, put it: "If you've met one autistic person, you've met one autistic person."

So which traits lend themselves to careers in tech and, specifically, cybersecurity?

"Oftentimes people with autism are very good with math and science," said Ledingham in her talk. IT is logical and syntax-guided; there is usually one way of doing things. Many people with autism are pattern-thinkers, she added. "If you look at a piece of code and it's missing a semicolon, you would notice because the pattern doesn't fit," she said.

Many people with autism are "hyperlexic," an autism-related term for those who are intensely interested in letters and numbers and who possess an advanced reading ability. For them, it would be simple to switch between English and coding, as they could easily understand both.

A photographic memory is another trait seen in people with autism, Myers said. It's another quality that could, for example, help them think of a network architecture and visualize security holes.

"People with autism are very focused on problem solving," Ledingham said. "You have a real difficult problem … they will focus on it until it's solved." They're detail-oriented, rule-oriented, and they have the tenacity to stick with complex issues other people may abandon.

So Why Turn to Cybercrime?
"Our scientific and digital world has been built on the output of the autistic mind," Ledingham said. Still, there are a number of complicating factors that make it more likely that people with autism will fall into cybercrime rather than start a security career.

For starters, many struggle with social anxiety. They avoid eye contact and/or suffer from depression, social isolation, and a high need for control. Most people Ledingham worked with tried to get the academic credentials to legitimize themselves but failed to succeed in college – an atmosphere characterized by social interactions and a lack of routine or control.

"For some people, college can be really overwhelming," Myers said. "They can have poor grades and not make it through." As a result, they lack the degree needed for most security jobs.

But on the Internet, they could be who they want to be. People who are bullied in real life can have a plethora of friends online, Ledingham added in her talk. When she talks to cybercriminals who have later been diagnosed, she has found gaming is the common thread that lures them into crime. These days, the gateway is Fortnite: Kids as young as 14 are part of a hacking program built around the game.

"The police are not interested when your Fortnite account or World of Warcraft account gets hacked," she said. "But if kids are cutting their teeth on it, there's no legal consequences."

We have to think of crime profiling differently in cybersecurity, Ledingham emphasized. People with autism often understand right and wrong, but they often don't understand actions and consequences.

Myers is cautious to create a broad link between cybercrime and autism, which covers a broad spectrum of people and capabilities. "While I don't doubt some autists have engaged in cybercrime, I am not sure how large the problem is compared with the neurotypical population," she explained. "What I do know is that we desperately need people with a variety of different abilities and thought processes to close the cybersecurity skills gap."

What Businesses Should Know
Organizations could benefit by welcoming employees with autism, but many don't know how. People with autism often don't reflect personality in interviews and struggle with behavioral-based questions. You can't ask them to imagine how they might act in a certain scenario, for example. Questions should be specific, literal, and direct. Deadlines should be made clear.

"The more you spell things out, the easier it is," Myers said. During the hiring process, be specific about each step and expected date of each one. When onboarding new employees, outline what is expected within the first three months and continue to work with them to set goals, schedule deliverable dates, and notify them of any changes. "Be clear about what steps you're going to have, what's expected of them, and what's expected of you," she explained.

It helps to approach the hiring process in a project-oriented way, Ledingham said. Give them a project and evaluate their performance, then hire them based on the output of that project. She pointed to Microsoft as an example of a company with a program designed for workers with autism.

"They now have one of the most comprehensive hiring programs where autism is concerned," she noted.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5798
PUBLISHED: 2019-05-23
Lack of correct bounds checking in Skia in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
CVE-2019-5799
PUBLISHED: 2019-05-23
Incorrect inheritance of a new document's policy in Content Security Policy in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to bypass content security policy via a crafted HTML page.
CVE-2019-5800
PUBLISHED: 2019-05-23
Insufficient policy enforcement in Blink in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to bypass content security policy via a crafted HTML page.
CVE-2019-5801
PUBLISHED: 2019-05-23
Incorrect eliding of URLs in Omnibox in Google Chrome on iOS prior to 73.0.3683.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page.
CVE-2019-5802
PUBLISHED: 2019-05-23
Incorrect handling of download origins in Navigation in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page.