[BreachExchange] Is hiring a hacker ever a good idea?

[Destry Winant]

https://www.zdnet.com/article/is-hiring-a-hacker-ever-a-good-idea/

In the fight against cyber crime, it's often claimed there aren't
enough security professionals around to keep organisations safe from
ever-evolving security threats.

But there is one group who should have the skills and the mindset to
find the gaps in computer networks that crooks misuse and help to
close them: criminal hackers themselves.

Often these are young, foolish and sometimes not even aware they are
breaking the law. But how to make sure that the talents of these
youngsters are harnessed for good, rather than for evil, is a
challenge that the tech industry and law enforcement agencies are
still grappling with.

"We do a lot to prevention to stop these kids from going into cyber
crime -- some don't even know that it's criminal what they're doing,"
said Paul Hoare, head of cyber crime incident management at the
National Crime Agency, speaking at Cloudsec Europe 2018 in London.

"A lot of them are very talented and would be a huge boon, so there
are lucrative careers for them in cyber security without getting
involved in criminal areas -- we're trying to divert them from that."

But there's a key issue looming over the question of hiring those who
dabbled with the dark side, or even been convicted of such: can they
be trusted? Could they take advantage of a position of trust and abuse
it for malicious intent?

"It's a really difficult ethical question and it's a really difficult
risk-management question -- not just for a security vendor, but for
anyone whose hiring effectively someone into a position of trust," Rik
Ferguson, VP of security research at Trend Micro and host of the
Cloudsec panel, told ZDNet.

"Even the concept of domain admin within a corporate scenario is a
position of elevated trust where, if you wanted to, you could do a lot
of damage or have access to a lot of things you shouldn't have access
to for the purposes of stealing information. However, everyone
deserves a second chance," he added.

But for those who've previously been arrested or convicted for cyber
criminal activity, refusing to engage with them could also mean they
can't find a legitimate outlet for their skills.

"It isn't black and white. Some people say if they've committed an
offence, they'll never hire them -- but you're basically giving them a
life sentence and that's very problematic," said Nicole van der
Meulen, senior strategic analyst at Europol.

And while there are training schemes to encourage people into cyber
security, some of the traits demonstrated by hackers -- and former
hackers -- can't be taught in class.

"Curiosity, tenacity, stubbornness, parallel thinking -- all of those
things are more important than any professional certification or
computer science degree," said Ferguson.

"Because the technical skills you can teach someone -- being the
appropriate type of person for the role, is not something you can
teach. That's why this question of if you should hire someone with a
shady past is such a tough one because clearly they have the
curiosity, tenacity, stubbornness, because that's why they went down
that path in the first place. I have no idea what the long-term answer
to that is," he added.

However, not all young kids who stray into cyber criminal activity can
be treated as highly skilled, because it can be surprisingly simple to
pick up malware, DDoS or other attacks and deploy them. In some cases,
almost no skill is required at all.

"When you actually speak to some of them and see how they did their
attacks, they're not that clever, some of them," said Charlie
McMurdie, former head of Police National Cyber Crime Unit and now
senior cyber-crime adviser at PwC. "It's fairly easy and fairly cheap
to commit cyber attacks, to buy a phishing kit or whatever".

McMurdie suggests organisations talk to these lower-level attackers to
get into the minds of a hacker, to understand why they do what they do
-- information which can be ultimately used to understand attacks and
also improve security.

"I think where they're useful sometimes is to understand the
motivations and why they do certain things, how they got involved in
certain acts, rather than hiring them for their technical
capabilities," she said.