Is hiring a hacker ever a good idea?

People often talk about a skills shortage in cyber security - could hiring those with a murky past be the answer? Or is it too risky?
Written by Danny Palmer, Senior Writer

In the fight against cyber crime, it's often claimed there aren't enough security professionals around to keep organisations safe from ever-evolving security threats.

But there is one group who should have the skills and the mindset to find the gaps in computer networks that crooks misuse and help to close them: criminal hackers themselves.

Often these are young, foolish and sometimes not even aware they are breaking the law. But how to make sure that the talents of these youngsters are harnessed for good, rather than for evil, is a challenge that the tech industry and law enforcement agencies are still grappling with.

"We do a lot to prevention to stop these kids from going into cyber crime -- some don't even know that it's criminal what they're doing," said Paul Hoare, head of cyber crime incident management at the National Crime Agency, speaking at Cloudsec Europe 2018 in London.

"A lot of them are very talented and would be a huge boon, so there are lucrative careers for them in cyber security without getting involved in criminal areas -- we're trying to divert them from that."

SEE: Inside the boot camp reforming teenage hackers [CNET]

But there's a key issue looming over the question of hiring those who dabbled with the dark side, or even been convicted of such: can they be trusted? Could they take advantage of a position of trust and abuse it for malicious intent?

"It's a really difficult ethical question and it's a really difficult risk-management question -- not just for a security vendor, but for anyone whose hiring effectively someone into a position of trust," Rik Ferguson, VP of security research at Trend Micro and host of the Cloudsec panel, told ZDNet.

"Even the concept of domain admin within a corporate scenario is a position of elevated trust where, if you wanted to, you could do a lot of damage or have access to a lot of things you shouldn't have access to for the purposes of stealing information. However, everyone deserves a second chance," he added.

But for those who've previously been arrested or convicted for cyber criminal activity, refusing to engage with them could also mean they can't find a legitimate outlet for their skills.

"It isn't black and white. Some people say if they've committed an offence, they'll never hire them -- but you're basically giving them a life sentence and that's very problematic," said Nicole van der Meulen, senior strategic analyst at Europol.

SEE: The secret to being a great spy agency in the 21st century: Incubating startups (TechRepublic)

And while there are training schemes to encourage people into cyber security, some of the traits demonstrated by hackers -- and former hackers -- can't be taught in class.

"Curiosity, tenacity, stubbornness, parallel thinking -- all of those things are more important than any professional certification or computer science degree," said Ferguson.

"Because the technical skills you can teach someone -- being the appropriate type of person for the role, is not something you can teach. That's why this question of if you should hire someone with a shady past is such a tough one because clearly they have the curiosity, tenacity, stubbornness, because that's why they went down that path in the first place. I have no idea what the long-term answer to that is," he added.

However, not all young kids who stray into cyber criminal activity can be treated as highly skilled, because it can be surprisingly simple to pick up malware, DDoS or other attacks and deploy them. In some cases, almost no skill is required at all.

"When you actually speak to some of them and see how they did their attacks, they're not that clever, some of them," said Charlie McMurdie, former head of Police National Cyber Crime Unit and now senior cyber-crime adviser at PwC. "It's fairly easy and fairly cheap to commit cyber attacks, to buy a phishing kit or whatever".

McMurdie suggests organisations talk to these lower-level attackers to get into the minds of a hacker, to understand why they do what they do -- information which can be ultimately used to understand attacks and also improve security.

"I think where they're useful sometimes is to understand the motivations and why they do certain things, how they got involved in certain acts, rather than hiring them for their technical capabilities," she said.


Editorial standards