The rationale for hiring criminal hackers is based on the thinking that “It takes a thief to catch a thief.” But some in the security community — including some hackers at the Black Hat conference this week — say that it is no longer necessary.
It’s not as if the debate is even close to being over — there are numerous cases of criminal hackers turning from the dark side to help the “good guys.” Among the most famous is Kevin Mitnick, who was arrested in 1995 and, starting in 1999, served five years in prison for hacking crimes including breaking into the FBI phone system while the agency was chasing him.
Mitnick describes himself in a memoir called “Ghost in the Wires” as once “the world’s most wanted hacker.” He now runs his own successful, legitimate consulting business, Mitnick Security Consulting, where he is paid to help companies by exposing their vulnerabilities to people like his former self.
Misha Glenny, a UK journalist who has written extensively about illegal hacking and interviewed a number of well-known hackers, said in a TED Talk from a year ago: “We need to engage and find ways of offering guidance to these young people, because they are a remarkable breed.”
Glenny split illegal hackers into two camps. He said Anonymous and other “hacktivist” groups generally do not use their hacked information for financial gain. They argue that they are providing a service by, “demonstrating how useless companies are at protecting our data.”
He also described them as ideologues, who view themselves as the good guys, “battling a dastardly conspiracy — they say governments are trying to take over the Internet and control it, and that they are the authentic voice of resistance, be it against Middle Eastern dictatorships, against global media corporations, or against intelligence agencies. And their politics are not entirely unattractive.”
The other camp, composed of well-organized criminal enterprises, is in it for the money.
But Glenny contends the profile of many illegal hackers from either camp is one of brilliant but socially awkward people who developed their skills in their teens, when their, “moral compass” had not yet developed. “Most did not demonstrate any real social skills in the outside world — only on the web. One other thing is the high incidence of hackers like this with characteristics of Asperger’s Syndrome,” Glenny said.
They should not be jailed, he said, “because they have lost their way or been duped.” He said the U.S. and UK should follow the lead of China and Russia, which are developing offensive cyber capabilities, “and recruiting hackers both before and after they become involved in criminal and industrial espionage activities and mobilizing them on behalf of the state.”
Those arguments are not entirely persuasive, however, to Aaron Cohen, a founder of the Hacker Academy, a cloud-based training program for information security professionals.
Speaking from the Black Hat conference on now in Las Vegas, Cohen said the general consensus of those in the industry is that “it depends” on individual circumstances. “In our circles, it is not a debate that happens that often,” but it comes down to, “how bad were they, and can they be made good?”
But Cohen said a more relevant issue is that enterprises don’t really need to hire criminal hackers and try to reform them. “A lot of guys are figuring out they can make a lot of money and don’t have to go to jail,” he said, adding that being socially awkward does not really justify criminal activity.
“I’ve met a lot of socially awkward people in our industry who have found their place — their niche,” he said. “This is a field that pays really well for good talent. You can be 23 and make more than $100,000 a year doing something that you love to do. So you don’t really have to hire bad guys. I can find just as many really good hackers who we’ll hire right out of college.”
That is also the general view of Teague Newman, an independent contractor and expert in penetration testing, who was part of a team that showed how jail security systems could be hacked and all the cell doors opened with a single phone call.
“Obviously [hiring an illegal hacker] is going to be situational,” Newman said. “You would want to know if it’s malicious, or for something they believe in.”
But while he said illegal hackers should not be shut out of the job market, he said: “I don’t know that that is a model people should strive for. Some people just shouldn’t be hired.”