Should we offer cyber security jobs to ex-cyber criminals?

In Information Security ByTeam Acumin / 9th August 2016

According to the cyber security company Radware a fifth of UK businesses have given cyber security jobs to one-time hackers, highlighting a moral dilemma that businesses face.

Radware also stated that 60% of businesses had been the victim of a cybercrime over the last 12 months. Companies could find themselves paying money to the very criminals that have in the past attacked them. Is this morally justified? Is it safe? Should businesses offer cyber security jobs to ex-cyber criminals?

It could be argued that the best people to advise on home security is burglars. They know the vulnerabilities in a house and the easiest way to break into a home. Burglars can advise householders on the areas that need strengthening with security systems, alarms, motion sensors, CCTV and so on.

Ex-criminals have been employed as security experts by many firms. Fraudster Frank Abagnale Jr., whose life story was depicted by Leonardo DiCaprio in the film ‘Catch Me If You Can’, is now a security expert and worked with the FBI as an advisor after he was released on parole from jail in 2014.

Many companies now employ ex cyber criminals as cyber security personnel, but other companies have policies that prevent ex-offenders being offered cyber security jobs.

One of the companies that does give cyber security jobs to ex-cyber criminals is Radware. Adrian Crawley of Radware said:

“Businesses need to get prepared fast, and there’s no better way than to see an attack than through the eyes of a hacker. I think we’ll see the trend to seek the opinion of an ex-hacker grow exponentially in the next year as businesses review their blind spots.”

In another recent news report, the payment and cyber security organisation, Secure Trading, confirmed that it had appointed Mustafa Al Bassam in the role of security advisor. Al Bassam used to be known by the nickname Tflow when he was a key member of the hacker group LulzSec. Aged 16, he was arrested for his part in hacking attacks on Sony, PBS and media group Fox. He received a suspended jail sentence and 500 hours’ community service.

Secure Trading has not attempted to hide Bassam’s past crimes. They praised Bassam’s expertise on blockchain technology, Secure Trading said that they are “lucky to have Mustafa on board.”

There are many within the IT industry that disagree with letting ex-cyber criminals have cyber security jobs though, fearing that they may not have left their criminal past behind. Many cyber attacks are from outside hackers, but several are from someone within a company that has inside knowledge of the security systems. Employing an ex-cyber criminal allows them access to a company’s IT security systems. Some believe there is a risk that the people with dubious pasts could use this information to carry out cyber crimes or pass on security access details to other hackers.

Trustwave employs what it describes as ‘ethical hackers’, or people who are experts in hacking but who have not used their knowledge for criminal acts. Lawrence Munro of Trustwave said that his company would never employ people with a record of cyber crime. He believes that it is a gamble not worth taking when ethical hackers are available.

Another security firm, WhiteHat Security, is against hiring ex-cyber criminals. Its CEO, Craig Hinkley, said:

“The only way we can stand up in front of a customer and tell them we are on their side is to ensure they know that we have never been on the other side.”

Adrian Davis, ISC2’s managing director, warned against the glamorous perception of hackers. He said:

“The rock star image surrounding many of these reformed malicious hackers is not what we should be promoting to the public. it’s an image that runs counter to our objectives, blurring the effort to attract the broad range of talent we need to protect our society and economy.”

Others within the cyber security industry see the issue as greyer rather than black and white. David Calder of security specialists ESC says that companies have to consider that a convicted hacker may be more skilled at cyber security than a noncriminal.

Another argument put forward by some companies that employ fomer cyber criminals is that if a cyber criminal has served their time, learned that what they did was wrong, and become a fully reformed, then they should be given a chance. Many cyber criminals, like Mustafa Al Bassam at 16, were very young when they were caught. There are many examples of people who have committed criminal acts when they were a teenager who have gone on to lead honest, responsible adult lives.

The CEO of IRM, Charles White, has defended the practice of hiring ex-criminals by saying:

“Most respectable information security consultancies are professional enough to operate within the guidelines of the rehabilitation of offenders and understand that ex-hackers can provide a valuable insight into how the real world hacks.”

Others point out that hackers are often resourceful and creative individuals who can think outside the box, and these are the qualities needed for an expert cyber security employee.

Another approach is to consider is why young people are tempted to become criminal hackers in the first place. For many young people, hacking has a trendy image. Is it possible for the cyber security industry to change its image, so that cyber security jobs are seen as glamorous and attractive? Criminal hacking offers the challenge of trying to beat the system. Building and maintaining an effective cyber security system that keep cyber criminals out can be seen as equally, if not more challenging. If companies can make cyber security jobs attractive for talented individuals and then invest in training them, these individuals could find a job in cyber security a better choice than the risks involved in cyber crime.

Perhaps a more important issue than whether an employee has a criminal record or not, is how to train and recruit highly skilled individuals for cyber security jobs so that they can effectively protect a company from cyber criminals.