Cyber-security ethics: the ex-hacker employment conundrum
The hiring of a former Lulzsec hacker by a respected cyber-security company has raised some interesting questions as to the role of former black hats in the white hat's world.
Should IT security companies employ those who spent time on the other side of the law?
Secure Trading, a payments and cyber-security group, has announced that it has appointed Mustafa Al Bassam as a security advisor on the company's technology and services, including a new blockchain research project. Al Bassam, however, is perhaps better known as Tflow, a former core member of the LulzSec hacker group.
According to Wikipedia, Tflow played an integral part in the Anonymous operation that hacked the HBGaryFederal servers in 2011, and leaked more than 70,000 private emails.
Arrested in July 2001, at the age of 16, Al Bassam was arrested in connection with high-profile LulzSec attacks on fox.com, PBS and Sony amongst others. Pleading guilty to charges under the Computer Misuse Act, Al Bassam was handed a suspended sentence of 20 months, 500 hours of community service and a two year Internet ban.
Secure Trading is not attempting to hide any of this, rather it insists that as there are very few experts in blockchain technology, saying "we're very lucky to have Mustafa on board."
Secure Trading Chairman, Kobus Paulsen, says that by developing the Trustery blockchain project the group hopes "to use his skills and create technology to help make the world of ecommerce safer for thousands of customers."
As well as creating a commercial platform to bring the security benefits of blockchain technology to its customers, Secure Trading also says that Al Bassam will work closely with sister company Cognosec as a security adviser. Secure Trading non-executive director, and a former Home Secretary, Lord David Blunkett says that "if we are to protect ourselves, we have to be just as innovative as they are – we need to educate and arm ourselves against tomorrow's threats."
Not everyone within the IT security industry agrees that hiring convicted former black hat hackers is the way forward though. Take Vanita Pandey, Senior Director of Strategy at ThreatMetrix, who told SCMagazineUK.com that while there is value in being able to think like a cyber-criminal, and leveraging that knowledge is a benefit "it's crucial to be able to effectively monitor their activities and this is where the situation gets tricky."
Pandey suggests that, in a digital world, attacks and compromise can happen both from the outside as well as the inside and employing someone with past record of cyber-crime makes the businesses especially vulnerable. "Many of the benefits could be realised using ethical hackers" she concludes "who can deliver the benefits without the potential risks."
As director of a team that includes ethical hackers, Trustwave's Lawrence Munro says he would "never knowingly hire someone with a criminal record, especially if their record included breaches of the Computer Misuse Act." Munro reckons such a thing would be a red flag for him, and while it "may seem draconian to omit individuals who are open about their past brushes with the law" it's simply not worth the risk when there are white hats available.
Craig Hinkley, CEO at WhiteHat Security, is equally dismissive of the ex-hacker benefit. "The only way we can stand up in front of a customer and tell them we are on their side" he told SC, "is to ensure they know that we have never been on the other side." Image is also on the mind of Dr Adrian Davis, Managing Director at (ISC)2, who warns that giving the public an impression of rock star appointments paint a negative picture. "The rock star image surrounding many of these reformed malicious hackers is not what we should be promoting to the public", Dr Davis says "it's an image that runs counter to our objectives, blurring the effort to attract the broad range of talent we need to protect our society and economy."
There are two sides to every debate, and just as many within the industry were happy to support the hiring of reformed hackers when asked by SC about the matter.
David Calder, managing director of ECS Security told us that "the line between right and wrong is grey in the security industry" and pointed towards legitimate security researchers suffering from a shifting public (and legal) position on whether it is acceptable to investigate weaknesses in computer systems. "An employer has to consider whether someone convicted for hacking is more capable of securing systems than someone who does not have a conviction" Calder insists "the best ethical penetration testers in my opinion are those who have the skills to use the right tools."
Michael Fimin, CEO of Netwrix, goes further in suggesting that "former hackers, regardless of where their knowledge was acquired, have two things in common: creativity, focus and ability to think beyond the boundaries of traditional IT security." Fimin reckons a company that employs a former hacker is just as likely to be perceived by public as innovative and able to think out-of-the box, caring about customer security and using all available resources to confront adversaries.
Pete Shoard, SecureData's chief architect, admits that "employing convicted individuals always carries stigma, and with hackers you are not looking at an individual who you are trying to morally develop (like you may with a thief), but someone you want to exploit for their criminal skill set." Certainly the perception is that the business is taking risks with customers' data or (in the financial industry) money which is where a business could gain some bad press. "That said", Shoard continues, "if they demonstrate their monitoring and security is top notch and that the employment of such an individual is of benefit to this process and is not excluded from the reach of current security, then it is easier to justify why you would employ a convicted criminal."
Daniel Smith, a security researcher at Radware thinks that those who have served their time, and have learned from their mistakes, should be given a fair review. "The amount of intelligence a company can gain when hiring an ex-hacker can be exponential" he told SC. Just look at Kevin Mitnick and Kevin Poulsen; both ex-hackers who grew out of the criminal phase and became successful inside the professional industry. "Hiring someone like Mustafa can become a key advantage for a company", Smith insists, "providing meaningful insight and in-depth understanding about the company's current threat landscape."
Michael Bennett, managing director of ReThink Recruitment, told SC that, generally speaking, he would hire ex-hackers "purely because you're guaranteed to access skills that aren't readily available in the employment market." That said, Bennett admitted it's not quite as black and white as that; not least because factors such as whether they are actually cut out for an office job come into play.
And, of course, policy regarding the employment of someone with a criminal record. Paul Fletcher, cyber-security evangelist with Alert Logic, says that one way companies get around existing policy regarding the hiring of those with unspent criminal convictions is by putting a legal contract in place "which details expectations and consequences." As long as the organization's legal team is heavily involved, and approval given at the highest level of the organization, this can work well enough.
Charles White, CEO of IRM, hits the nail on the head when he says that "most respectable information security consultancies are professional enough to operate within the guidelines of the rehabilitation of offenders and understand that ex-hackers can provide a valuable insight into how the real world hacks."
After all, the information security industry is of one voice that the dumbing down of penetration testing to satisfy a tick box regime has done little but give a significantly false sense of security to UK Plc. For most consultancies, security testing that is limited in its scope or forbidden to utilise particular attack vectors is worthless. "An ex-hacker would tell you nothing is out of scope and everything is in scope" White points out "so if you are serious about helping your clients protect their information assets, the ex- hacker has a wealth of knowledge and experience."
IRM Ltd works in collaboration with Ryan Ackroyd when presenting to boards of directors on this topic. Ackroyd is perhaps better known as Kayla from his LulzSec and Anonymous days. White told SC that IRM is "open to recruiting ex-offenders who are reformed and whose convictions are spent where the individual can clearly demonstrate that illegal activity is behind them and a much more lucrative career can be perused in assisting companies to protect themselves..."