Should companies hire criminal hackers?

The rationale for hiring criminal hackers is based on the thinking that "It takes a thief to catch a thief." But some in the security community -- including some hackers at the Black Hat conference this week -- say that it is no longer necessary.

It's not as if the debate is even close to being over -- there are numerous cases of criminal hackers turning from the dark side to help the "good guys." Among the most famous is Kevin Mitnick, who was arrested in 1995 and, starting in 1999, served five years in prison for hacking crimes including breaking into the FBI phone system while the agency was chasing him.

[See also: New malware technique targets intrusion-prevention systems]

Mitnick describes himself in a memoir called "Ghost in the Wires" as once "the world's most wanted hacker." He now runs his own successful, legitimate consulting business, Mitnick Security Consulting, where he is paid to help companies by exposing their vulnerabilities to people like his former self.

Misha Glenny, a UK journalist who has written extensively about illegal hacking and interviewed a number of well-known hackers, said in a TED Talk from a year ago: "We need to engage and find ways of offering guidance to these young people, because they are a remarkable breed."

Glenny split illegal hackers into two camps. He said Anonymous and other "hacktivist" groups generally do not use their hacked information for financial gain. They argue that they are providing a service by, "demonstrating how useless companies are at protecting our data."

He also described them as ideologues, who view themselves as the good guys, "battling a dastardly conspiracy -- they say governments are trying to take over the Internet and control it, and that they are the authentic voice of resistance, be it against Middle Eastern dictatorships, against global media corporations, or against intelligence agencies. And their politics are not entirely unattractive."

The other camp, composed of well-organized criminal enterprises, is in it for the money.

[See also: Organized cybercrime revealed]

But Glenny contends the profile of many illegal hackers from either camp is one of brilliant but socially awkward people who developed their skills in their teens, when their, "moral compass" had not yet developed. "Most did not demonstrate any real social skills in the outside world -- only on the web. One other thing is the high incidence of hackers like this with characteristics of Asperger's Syndrome," Glenny said.

They should not be jailed, he said, "because they have lost their way or been duped." He said the U.S. and UK should follow the lead of China and Russia, which are developing offensive cyber capabilities, "and recruiting hackers both before and after they become involved in criminal and industrial espionage activities and mobilizing them on behalf of the state."

Those arguments are not entirely persuasive, however, to Aaron Cohen, a founder of the Hacker Academy, a cloud-based training program for information security professionals.

Speaking from the Black Hat conference on now in Las Vegas, Cohen said the general consensus of those in the industry is that "it depends" on individual circumstances. "In our circles, it is not a debate that happens that often," but it comes down to, "how bad were they, and can they be made good?"

But Cohen said a more relevant issue is that enterprises don't really need to hire criminal hackers and try to reform them. "A lot of guys are figuring out they can make a lot of money and don't have to go to jail," he said, adding that being socially awkward does not really justify criminal activity.

"I've met a lot of socially awkward people in our industry who have found their place -- their niche," he said. "This is a field that pays really well for good talent. You can be 23 and make more than $100,000 a year doing something that you love to do. So you don't really have to hire bad guys. I can find just as many really good hackers who we'll hire right out of college."

That is also the general view of Teague Newman, an independent contractor and expert in penetration testing, who was part of a team that showed how jail security systems could be hacked and all the cell doors opened with a single phone call.

"Obviously [hiring an illegal hacker] is going to be situational," Newman said. "You would want to know if it's malicious, or for something they believe in."

But while he said illegal hackers should not be shut out of the job market, he said: "I don't know that that is a model people should strive for. Some people just shouldn't be hired."

Whatever the legal status of hackers, the demand for their skills is strong. Ashley Rowe reported last week in Information Technologyç that "hiring demand for hackers hit its highest levels in May 2012 with 977 online job ads. That is a 471% increase since its lowest point in February 2009."

It helps, Rowe noted, for applicants to be Certified Ethical Hackers.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts