If someone had a criminal record for hacking, should they be considered for recruitment by a country’s cyber defence forces?
That’s the question that has been asked by BBC Newsnight’s team, who has been exploring the UK Defence Secretary’s plans for a new force capable of launching internet attacks on other countries as a deterrent against them striking Britain.
In an interview broadcast live on BBC Two, Defence Secretary Philip Hammond MP told Newsnight that he would not rule out hiring hackers.
Of course, any prospective new recruits with a criminal hacking background would need to pass appropriate security vetting.
As a matter of policy, the armed forces don’t necessarily exclude people who have criminal convictions. Each individual case would be looked at on its merits. The conviction would be examined in terms of how long ago it was, how serious it was, what sort of sentence had followed. So I can’t rule it out.
That position appeared to be backed by Lt Colonel Michael White, commander of Joint Cyber Unit (Reserve).
The programme, which also interviewed Jake Davis and Mustafa Al-Bassam (former members of the notorious LulzSec hacking gang, who were convicted earlier this year),
Newsnight brought Al-Bassam (who went by the online handle “T-Flow”) together with Dr David Day, the Sheffield Hallam University computer forensics expert who provided evidence for the conviction, for the first time.
See what you think, but I felt their encounter came across like an awkward blind-date in a rave nightclub projecting binary onto its walls…
In the broadcast edition of the programme, Day wrestles with the question of whether he would offer a convicted hacker a job or not:
Day: That’s tricky. that’s very tricky. I think it would have to be every case on its merits.
Newsnight: You’ve met Mustafa today. Would you employ him?
Day: Umm… He seems like a really nice lad, and he’s obviously clearly very talented. I might.
You can watch the full report here on the BBC News website.
Of course, it’s not necessarily the case that former malicious hackers are the best people to employ if you want to defend against hackers.
For instance, the typical malware author is primarily interested in infecting a computer. They don’t care about whether their malware works properly on different versions of an operating system, or if it conflicts with software which might already be installed on the computer.
Those who write anti-virus software, however, need to write code which works at a very low level on the customer’s computers and servers, which does NOT crash or cause software conflicts, on a wide variety of operating systems, all without adversely affecting system performance.
Of course, there are different areas of cybercrime. Someone who is skilled in finding exploitable weakness in software might be a good person to have on staff as a white-hat penetration tester or vulnerability researcher, testing your own products or your company’s security.
And those skills, of course, could be targeted at the networks of foreign countries, or used to find exploitable vulnerabilities in software used by enemy nations. If that was your line of work.
But again, issues of trust, ethics and maturity tend to rear their heads.
If you worked for a company, would you be prepared to put your neck on the line hiring someone you knew to be a convicted criminal to work in your security team? How would you feel about justifying that decision to the board, if the worst happened and your new recruit turned out to still be one of the bad guys?
It’s clear that you’re never going to be fired for *not* hiring the guy who used to be in jail for hacking.
There’s also the danger that the convicted hackers may not be the geniuses that the media typically presents them as (remember – they got caught!), and indeed might simply have exploited simple mistakes made by employees of the company who were hacked. (For instance, poor password choices, weakly secured websites, or lax security leading to account information being phished).
It feels to me that the ability of some hackers have definitely been exaggerated by the mainstream media in the past.
I would love it if the criminals were glamourised less, and the *real* heroes (the ones who write security software that protects us every day) were applauded more for what they have contributed.
However, one has to be realistic. The United Kingdom and other countries are gearing up their internet attack forces (sorry.. deterrent teams), and will not have much in the way of qualms of hiring people who have previously used their hacking skills for malicious purposes.
Let’s hope – for the defence force’s sake – that the vetting is thorough, and the hackers have learnt their lesson.
I also hope that the recruiters don’t imagine that applicants with a criminal past are somehow better qualified than those who had the maturity and ethics to walk the straight path.
What do you think about this issue? Leave a comment below and leave your thoughts.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
2 comments on “Should the armed forces hire convicted hackers?”
Re:"There’s also the danger that the convicted hackers may not be the geniuses that the media typically presents them as (remember – they got caught!), and indeed might simply have exploited simple mistakes made by employees of the company who were hacked. (For instance, poor password choices, weakly secured websites, or lax security leading to account information being phished)."
Also comes to mind that they are merely script kiddies, which definitely is the case they are not so skilled. But that won't stop the media and I fear nothing will – any damage done will continue and new damage will occur too.
Re:"It feels to me that the ability of some hackers have definitely been exaggerated by the mainstream media in the past."
Definitely true, including high profile cases like Kevin Mitnick. That he used social engineering so much raises credibility in general but also shows that he didn't rely so much on technical expertise. I seem to remember that after he got out of prison and started his company (teaching people how to social engineer – sadly not a hard process yet he would be the kind to take advantage of this) his server (the one for his teaching of social engineering) was rooted – more than once. Says a lot when he then blames it on his host rather than be up front and elaborate on it like some organisations do (e.g., Apache, which wrote a document explaining how and why they were compromised, some years back). His only defence was that his host is at fault (whether it was the case or not, is irrelevant: he didn't make any attempt to be sincere – we all make mistakes so why not be truthful about it? Because he relied on lying, perhaps?).
On the other hand, re: "I would love it if the criminals were glamourised less, and the *real* heroes (the ones who write security software that protects us every day) were applauded more for what they have contributed."
While it is certainly true they are glamourised much more than they should be (many examples come to mind) I do think that some do in fact have quite the expertise. Not all though of course. (The real answer is sensationalism.) One example group is old school virus writers (so those using assembly; I mean Dark Avenger had some really clever techniques and that's only one example of many). Certainly there's much to be desired on both sides though and yes, you're right (I bring it up below as why – something I know you instinctively know, sad as it may be). Another way it is bad that the media likes to make it appear wonderful, is this (actually two parts to it):
– First, the original meaning of hacker being tainted by the media and governments. Yet, who glamourises the criminals (that may or may not be in the original definition of hacker – would depend on what they were about and why they actually went into the criminal territory)? But let's remember that if it were not for hackers the Internet would not be what it ever was (or is). Sadly, tell that to most people and you'll get bad looks or confusion at best because the word has been so tarnished.
– Then, the fact that the media glamourises convicted computer criminals, means more are drawn into it – for that very reason (glamour). But what happens? They are then busted and now have a messed up life. An example is the 404 hacker group of the 80s. The media and its sensationalism really does ruin lives yet at the same time they do it for a reason: its what draws in viewers. It's quite sad and its an insidious, infinite loop. This isn't actually my own thinking – only the analogy of an insidious infinite loop is (although I recognised it as correct once I read it) – but instead was a point made by Ken Thompson. He was correct, as ever, though. This, naturally, is why the media won't really be so thankful or appreciative of those protecting others (maybe its good though, in a way? I mean, look at the harm they can create).
Just some random thoughts…
Funny. If I'd steal an apple (no, not the supid iphone), and got busted, I'd be facing a 2 year sentence for stealing (even if it would just colmatate my hunger, after all, no one can live solely on apples, except maybe the late Steve Jobs, but that's another story), these guys hack, crack, destroy, prey, and perhaps kill (remember the butterfly effect), and the worse thing that can happen to them is getting hired by a big corporation onto how to discover exploits on their systems…
WHAT'S WRONG WITH THESE PEOPLE!??