If someone had a criminal record for hacking, should they be considered for recruitment by a country’s cyber defence forces?
That’s the question that has been asked by BBC Newsnight’s team, who has been exploring the UK Defence Secretary’s plans for a new force capable of launching internet attacks on other countries as a deterrent against them striking Britain.
In an interview broadcast live on BBC Two, Defence Secretary Philip Hammond MP told Newsnight that he would not rule out hiring hackers.
Of course, any prospective new recruits with a criminal hacking background would need to pass appropriate security vetting.
As a matter of policy, the armed forces don’t necessarily exclude people who have criminal convictions. Each individual case would be looked at on its merits. The conviction would be examined in terms of how long ago it was, how serious it was, what sort of sentence had followed. So I can’t rule it out.
That position appeared to be backed by Lt Colonel Michael White, commander of Joint Cyber Unit (Reserve).
The programme, which also interviewed Jake Davis and Mustafa Al-Bassam (former members of the notorious LulzSec hacking gang, who were convicted earlier this year),
Newsnight brought Al-Bassam (who went by the online handle “T-Flow”) together with Dr David Day, the Sheffield Hallam University computer forensics expert who provided evidence for the conviction, for the first time.
See what you think, but I felt their encounter came across like an awkward blind-date in a rave nightclub projecting binary onto its walls…
In the broadcast edition of the programme, Day wrestles with the question of whether he would offer a convicted hacker a job or not:
Day: That’s tricky. that’s very tricky. I think it would have to be every case on its merits.
Newsnight: You’ve met Mustafa today. Would you employ him?
Day: Umm… He seems like a really nice lad, and he’s obviously clearly very talented. I might.
You can watch the full report here on the BBC News website.
Of course, it’s not necessarily the case that former malicious hackers are the best people to employ if you want to defend against hackers.
For instance, the typical malware author is primarily interested in infecting a computer. They don’t care about whether their malware works properly on different versions of an operating system, or if it conflicts with software which might already be installed on the computer.
Those who write anti-virus software, however, need to write code which works at a very low level on the customer’s computers and servers, which does NOT crash or cause software conflicts, on a wide variety of operating systems, all without adversely affecting system performance.
Of course, there are different areas of cybercrime. Someone who is skilled in finding exploitable weakness in software might be a good person to have on staff as a white-hat penetration tester or vulnerability researcher, testing your own products or your company’s security.
And those skills, of course, could be targeted at the networks of foreign countries, or used to find exploitable vulnerabilities in software used by enemy nations. If that was your line of work.
But again, issues of trust, ethics and maturity tend to rear their heads.
If you worked for a company, would you be prepared to put your neck on the line hiring someone you knew to be a convicted criminal to work in your security team? How would you feel about justifying that decision to the board, if the worst happened and your new recruit turned out to still be one of the bad guys?
It’s clear that you’re never going to be fired for *not* hiring the guy who used to be in jail for hacking.
There’s also the danger that the convicted hackers may not be the geniuses that the media typically presents them as (remember - they got caught!), and indeed might simply have exploited simple mistakes made by employees of the company who were hacked. (For instance, poor password choices, weakly secured websites, or lax security leading to account information being phished).
It feels to me that the ability of some hackers have definitely been exaggerated by the mainstream media in the past.
I would love it if the criminals were glamourised less, and the *real* heroes (the ones who write security software that protects us every day) were applauded more for what they have contributed.
However, one has to be realistic. The United Kingdom and other countries are gearing up their internet attack forces (sorry.. deterrent teams), and will not have much in the way of qualms of hiring people who have previously used their hacking skills for malicious purposes.
Let’s hope - for the defence force’s sake - that the vetting is thorough, and the hackers have learnt their lesson.
I also hope that the recruiters don’t imagine that applicants with a criminal past are somehow better qualified than those who had the maturity and ethics to walk the straight path.
What do you think about this issue? Leave a comment below and leave your thoughts.