Hiring hackers
by James Turner
Ethical or ‘white hat’ hacking has become an everyday reality for government and business. But as James Turner writes, knowing who to trust can be difficult.
There was recently a case in New Zealand where a young man was charged with a number of cybercrimes and was subsequently let off without conviction.
Stuff.co.nz reports that the hacker “pleaded guilty to six charges, including accessing a computer for dishonest purposes, damaging or interfering with a computer system, possessing software for committing crime and accessing a computer system without authorisation” (“Computer general and a botnet army”, 19 July, 2008).
But should the New Zealand police be considering hiring him?
If you go to a presentation from an IT security vendor (or even an IT analyst) and escape without them mentioning that the cyber attacks are now being perpetrated by organised criminals and possibly backed by nation states, then you were probably in the wrong presentation.
Purists will tell you that, actually, it is the Crackers who do the bad stuff, and Hackers are the benevolent folks who are just simply curious about how software and systems work.
But almost no one uses that distinction between cracker and hacker anymore.
And “Cracker” sounds cheesy. It’s much easier to refer to “white hat” and “black hat” hackers.
This terminology comes from the old cowboy films where the good guys wore white hats.
Usually, when we talk about a hacker, we’re talking about a black hat.
It’s only when we throw in the descriptor of white that we’re then talking about the good ones.
White hat hackers are also called Ethical Hackers, or penetration testers.
I know that Australia’s private sector has some top notch white hats because I’ve met them.
I wouldn’t be surprised to know that the government has a respectable collection scattered around the world.
In fact, I heard about a year ago that a former government hacker was out in the private sector and finding it hard to get work because he was simply too specialised.
If you think of a hacker as being the Internet equivalent of a sniper, then ask yourself how many companies need snipers who specialise in taking out other snipers.
Answer: not many.
But this is where we get to the heart of the matter: the government needs hackers.
Australia needs hackers working for the Australian Federal Police, the Department of Defence, and ASIO.
Here’s where it gets interesting – because our need for hackers is only ever going to increase.
Hackers are the new spies. So where do we find these specialists?
I’ve spoken to people from law enforcement backgrounds who have argued vehemently against hiring hackers.
I’ve met enough engineers working with software vendors to know that if one of these people wanted to do something nasty on the Internet, then it is only a combination of their own personal morality and a fear of the consequences of getting caught which hold them back.
So is hiring hackers an ethical question?
Well, if it is, we might never come to a conclusion.
We could debate the moral ramifications of hiring someone who has broken the law from as many sides as there are moral theories.
Does the end justify the means?
Your perspective on that will still not help you come to a conclusion.
If you think that there are times when tough measures are called for, and sometimes you have to use extraordinary rendition to extract a confession, then you’ll probably think that we should absolutely hire hackers.
But you’ll also think that we (or you) should rough them up a bit first, to make sure they know what they’re in for if they get out of hand.
But if you’re also taking that line of argument, that the end justifies the means, then you will also be thinking that hiring hackers sends out a message to other hackers; and the message is very clear, “mess with us and we will reward you”.
Equally clear is the fact that this is not a good message to send, because then we’ll be besieged by hackers looking for a job – and the collateral damage they could do in the form of a job application may well exceed what we can handle or tolerate.
Would Sir like his SCADA systems totally destroyed, or just unreliable?
Do you consider unreliable nuclear power stations to be an acceptable risk?
No, I didn’t think so.
The greatest good for the greatest number can work, as long as there is a cut off point, at which time a tally is taken; and your gamble is ahead on points.
Of course, in reality, there is no finish line.
How far into the future can you see?
Unfortunately it will never be far enough.
So, if you were going to hire a hacker, then you don’t want this advertised, and you would need to keep it a secret.
But it’s pretty hard to keep a secret when you then turn around and give the hacker access to the most potent communications network mankind has ever invented.
Furthermore, many of these hackers are, at least, colleagues – and they will notice if one of them suddenly drops off the radar.
Besides, how do you know the hacker isn’t a mole?
If I was a cyber-criminal mastermind, you had better believe I’d be doing counter-intelligence.
On the other hand, if you think that the end does not justify the means, then there is no way you’d hire a hacker because the person is a proven law-breaker.
Despite any and all of the wonderful things a flipped hacker could potentially do, can you ever trust someone who has made the decision – at least once – to actively cross the line and work against the law?
Can you ever trust a traitor?
From my perspective, ethics is not actually relevant to the discussion.
The issue is one of practicality. Does the military scour the prisons for murderers and put them in the infantry?
Of course not.
And why not?
Because reliability of character is required from anyone who works in a team environment; no matter the work.
There are only two ways of hiring a hacker.
The first way is when they walk through your door and introduce themselves and express an interest to work for you and to learn (and they have not done anything criminal on the Internet).
The second way is by recruiting hackers straight from school.
I’ve written and spoken with clients a fair bit about Generation Y and how they are so much more familiar with current technology than even my generation is.
But if you think the Gen-Ys are computer savvy, just wait till you see the kids who are currently in school (and the ones that come after) get going.
These kids will interact with the Internet with the same level of comfort that you and I breath the air around us.
A teacher I know once made the observation that the number of hacking attempts against the school shot up substantially during school holidays.
It seems that idle hands seek out a keyboard.
The best way to close my argument is with the words of the New Zealand judge presiding over the case mentioned above.
Justice Potter said, “It (the hacking) was not motivated by criminal intent or maliciousness, but by a fascination with computers.
"You are a young man with a potentially outstanding future.”
Amen to that.
Just as the Australian Institute of Sport does talent scouting for future Olympians, the Australian government should be starting now to identify, groom and recruit the hackers of the future.
We absolutely want them on our side.
But we must get them on our terms: when they are young, before they get bored, and before they cross the Rubicon.
About the author: James Turner is an advisor with IBRS, an Australian company that provides research and advice to IT and business managers in Australasian organisations. James specialises in the IT security sector. www.ibrs.com.au