“It’s OK, I only teach primary”
You might question whether we need to be covering the legalities of hacking in primary schools, as surely pupils are too young to be at risk of offending, but you’d be surprised. The Pathways Into Cyber Crime report from the UK’s National Crime Agency (NCA) highlighted that 61 percent of hackers start hacking before the age of 16, and many can trace their pathways back to discussions in game-modding forums at the top end of primary-school age (helloworld.cc/ncareport). Looking at the make-up of many digital literacy curricula, perhaps we’ve spent too much time on teaching how to protect against cybercriminals at the expense of reminding pupils not to become the cybercriminals themselves! What’s more, the advent of new off-the-shelf hacking tools has lowered the bar of technical knowledge required to undertake cyberattacks, so it’s more important than ever that we educate pupils from a young age on what is and isn’t OK to do with computers.
There is also a real positive opportunity here to promote cybersecurity career choices and strike an appropriate balance of stick and carrot. Pupils need to know what is illegal, but also that if they have an interest in the computer science behind hacking, there is an ever-growing world of jobs available to them when they’re a bit older. Indeed, many offenders interviewed by the NCA and police officers were motivated not through malicious intent, but by genuine curiosity, and by the satisfaction to be gained from solving the complex technical challenge of the hack. If we can get these pupils on the right track, they’ll be a huge asset to any organisation that employs them to defend their digital interests. So, what does the law actually say?
What the law says
In the UK, the Computer Misuse Act 1990 sets out what constitutes illegal activity with a computer. There are five elements of the law, which were translated into child-friendly explanations as part of Barefoot’s Be Cyber Smart resources, and are shown in Figure 1. This figure also shows details of the sentences that people can receive if convicted of each element, including imprisonment and fines.
To bring the Computer Misuse Act to life, let’s look at a selection of real prosecutions to illustrate the elements that make up the law. The following case information was taken from a record of convictions maintained at helloworld.cc/cmacases. This record could be explored with older pupils to deepen their understanding of when and how the law is broken, but please be aware that some cases include crimes of a sexual nature inappropriate for students.
A 22-year-old student created software capable of harvesting names and passwords for various online services. They deployed the software to gather these credentials so that they could then access the services for free. They were imprisoned for six months after they were found guilty of creating the software to harvest login credentials (breaking law 5) and accessing the services without permission (breaking law 1).
A disgruntled Jet2 employee launched a revenge attack that shut down Jet2’s booking system and accessed the CEO’s email. Recovery from the attack cost the company £165,000 (approximately $225,000). The person was convicted of accessing Jet2’s files without permission and subsequently damaging them (breaking laws 1 and 3). They were sentenced to ten months in prison and their laptop was destroyed.
A student hacked into social media and gaming accounts using a program they had created, and then they sold the personal information from within them (breaking laws 1 and 4). They were sentenced to four months imprisonment, suspended for one year.
From these three cases alone, we can see the far-reaching impact of cybercrimes. Here, the victims include those whose online services were being used without their permission, and social media users whose personal information was sold without their knowledge — potentially leading to further crimes such as identity theft. In their interviews, the NCA learnt that cybercriminals often see their crimes as victimless. With large-scale hacks, though, the sheer number of victims can vastly surpass traditional crimes, as demonstrated in these case studies. Most large businesses now employ cybersecurity teams to prevent hacks by regularly testing their organisation’s defences. These penetration testers are just one example of the careers available in cybersecurity.
By introducing pupils to the Computer Misuse Act 1990 (or your country’s equivalent) and case studies such as these, we can lead discussions to educate pupils on what constitutes the illegal use of computers, the impact of these crimes, and the sentences perpetrators can receive. Here is a selection of questions to lead a discussion with pupils:
How was the law broken?
What specific part of the law was broken?
Who are the victims? How are they affected?
What might the punishment be?
Taking this one step further, the free Barefoot You’re the Jury resources, which can be downloaded for free at barefootcomputing.org/cyber after a quick registration, suggest turning classrooms into courtrooms and putting pupils in the roles of defendant, barrister, and jury members. Pupils then hear a number of cybercrime cases and for each, consider whether the law has been broken, who the victims are, and what the punishment might be. The resources even include templates to create a barrister’s wig for pupils and a judge’s wig for the teacher!
From the same set of resources, You’re the Cyber Security Expert brings us back to the positive opportunities of the topic, namely raising awareness of cybersecurity careers. It does this by giving pupils a taste of life in this field as they learn what a brute-force hack is and, importantly, what strategies we could deploy to guard against it. So, for those pupils who exchanged a knowing glance at the mention of hacking, let’s harness that curiosity and raise their awareness of rewarding careers that pursue this interest legally.
barefootcomputing.org/cyber: All the activities mentioned in the article and more can be downloaded here.
Jon is the Barefoot director and the computing lead at Crumpsall Lane Primary School in Manchester, UK. He also leads the computing PGCE at The University of Manchester.
Alan is a senior officer in the Cyber Prevent Team at the UK’s National Crime Agency. He has 34 years of law enforcement experience, including overt and covert roles with HM Customs and a team leader role at the UK’s Interpol Desk and Fugitives Unit.