Organizations are often hesitant to access the talent pool of ex-black hats and reformed hackers. In the age of the cyber skills gap, are they a resource we can afford to ignore, asks Kate O’Flaherty.
The cyber security skills crisis presents a strong case for hiring reformed blackhat hackers. Among their skills, the talented coders are curious by nature. They also have a unique mind set that is a valuable asset to firms seeking to stay ahead of constantly evolving security threats.
Former blackhats are usually self-taught, and start breaking into systems at an early age. Take for example, former LulzSec member, Jake Davis – AKA Topiary – who is now a whitehat hacker about to launch his own cyber security company.
After being arrested in 2011, Davis made the most of his short prison stay by teaching his fellow inmates – who called him “hacker” – about encryption.
Another success story grown from hacktivist group LulzSec is Mustafa Al-Bassam, previously known as Tflow. The 22-year-old is now a security advisor at online payments service provider Secure Trading and is taking a PhD in computer science at University College London.
Meanwhile, Cal Leeming is a reformed blackhat who started breaking into systems aged 10, when he also set up his own hacking group. He was caught when he was 12, and convicted aged 13, making him the youngest convicted hacker in the UK.
Leeming is now a security advisor at his own company. He works with private clients and law enforcement in the UK, helping them to use technology to stay secure. He became a force for good upon leaving prison when his investigating officer got him a job at one of the banks he had hacked. He helped the bank secure its system before moving to California to work with start ups and is now back in the UK.
One advocate of hiring reformed blackhats is investigative journalist Brian Krebs, who thinks societies need to try to cultivate young criminals’ talent in order to use them for good.
A growing number of firms are already open to hiring former blackhats like Leeming, Al-Bassam and Davis. According to KPMG, 57 percent of firms are finding it difficult to retain cyber security staff. Over half would consider hiring a hacker or someone with a criminal record to keep ahead of the game.
Among the skills they have to offer, says Chris Pogue, CISO at Nuix: “These are creative people and they are tremendous problem solvers. Organisations are good at knowing themselves, but not their enemy – and hackers have the advantage of being able to know the adversary.”
As Adrian Sanabria, senior analyst at 451 Research says, firms do not have to take on former blackhats full time. For example, he says: “If a company is after the hacker’s knowledge of attack strategies and tactics, they can just hire them as an independent consultant to get what they need.”
As the cyber security skills gap grows, Martijn Verbree, partner in KPMG’s cyber security practice, thinks companies should consider taking on reformed hackers. He says KPMG has not yet hired a former blackhat, but the firm’s policies do not prevent it from doing so in the future.
If the opportunity did arise, he says: “What we would want to know is why they were convicted. Have they served their sentence; have they learned from it and have we got confidence they wouldn’t fall into a similar sort of trap? We would put safeguards in place – understanding what conviction was about – and ask questions about what they have learned and why they went a certain way, and why they are changing.”
Not all companies are open to the idea. Many firms have issues with trust that would rule out hiring a reformed hacker. Jay Kaplan, CEO at Synack, says he would not add a former blackhat to his freelance hacking team, regardless of the circumstances. “People who have questionable ethics sometimes don’t follow the rules. When someone finds a flaw or vulnerability we don’t want them to expose it outside of our platform. If records are compromised, we need to make sure they aren’t leaked.”
Jamal Elmellas, CTO at Auriga Consulting would not rule out hiring a former criminal hacker, but his business partner would. “My partner thinks: how do you know that person doesn’t have bad intentions? You would somehow have to trust this person. I can see her point. There is no guarantee that they aren’t going to run off with your company data.”
Fighting the threats
At the same time, former blackhats can be the best people to consult about the threats firms face today. They are often candid in their approach, and unafraid to point out that the security mistakes made by companies are basic.
Al-Bassam says: “Unfortunately the most common security mistakes made today are the same that were made 10 years ago: poor password management and basic software vulnerabilities such as SQL injection.”
Leeming also thinks simple things are biggest threat. He tells SC UK: “Using the same passwords; using old passwords but adding a number on, or changing the number. Not patching; typing the password in public; having sensitive conversations in public; phishing as well. Basic stuff is catching companies out.”
So firms are missing out by failing to engage hackers for their own benefit, says Davis. There are countless low-risk ways to do this, he points out. For example, potential blackhat hackers are being used by forward-thinking businesses through bug bounty websites.
Sites such as HackerOne and Bugcrowd allow hackers to tell firms where there is a vulnerability. “You tell them how to fix it and they pay you – sometimes in Bitcoins allowing you to remain anonymous,” Davis explains. “In the old days, the only option for blackhat hackers once they broke into a company was to expose the information. That isn’t the case now.”
Interestingly, those who practice “hacktivist” hacking at a young age like Davis are usually uninterested in financial gain. They are as a result a very different type of adversary to the career criminals that appear on the darknet.
In addition, the former blackhats claim, they are very unlikely to reoffend. Al-Bassam points out: “People with computer misuse convictions have a near 0 percent re-offending rate, compared to other types of crime. Therefore, it seems like a win-win situation to get the unique expertise of someone who has knowledge of hacking in practice, at practically zero risk.”
People with hacking convictions have a low appetite for risk, says Leeming. “If you hire a whitehat who hasn’t sat in a prison cell, they aren’t necessarily going to turn down a six figure sum to share your company’s customer details. For me, having been in that cell, it isn’t worth any money.”
Taking this into account, ruling out hiring these talented individuals altogether seems irrational. Sanabria advises: “The proper way to handle it is case-by-case. It isn’t easy, but it is in the company and public’s best interest.”
But at the same time, Leeming says: “Some companies just see a stigma behind it and it’s an immediate strike off. That’s fine; they are entitled to do as they wish.
“But when I hear companies and governments say they don’t hire ex hackers because they don’t need to and already have the skills: That is rubbish. People who have been convicted for hacking are great at certain things – there is a clear characteristic that defines the tasks they are better at.”
For example, he explains: “I find you can put a device in front of an ex hacker and say, ‘we are trying to find the vulnerability, can you help?’. They will stay up for two days straight to work this out. It’s the culture and mind set – a hacker’s mind set.”
Leeming says there are a lot of companies prepared to give people in his situation a chance: “For every company that turns you down, there are a lot that will happily take you on board. In my experience these are the companies that don’t have lots of politics and corporate policies; they are ‘get stuff done’ kind of people. And I find a lot of people who come from that [former blackhat hacker] world work better in a less restrictive environment.”
Part of cultivating young talent is about stopping them from offending in the first place. It is important to engage young people early. Most reformed blackhats think the UK education system needs to improve to encourage more kids to go into cyber security.
Davis says: “Kids want more practical, interactive lessons, with real penetration testing, learning how to make and break servers.”
But it is a challenge, Al-Bassam says: “Computer security and hacking requires a mindset that schools could never foster on a wide scale. If schools started teaching kids penetration testing skills, it would probably be so boring that they would kill their motivation in it.
“Instead, we need to let young people who are naturally interested to come forward themselves, and give them the encouragement needed to pursue a career in it. That means not demonising them if they mess around with their school’s computers.”
The industry and government are realising that something needs to change, with initiatives to attract young people into cyber security such as apprenticeships. Meanwhile, the Department for Culture, Media and Sport is about to launch an education programme for 14 to 18 year olds.
The key is to try to identify talent and nurture it at an early age, says Ken Allan, cyber security expert, PA Consulting Group. “However, people from industry, academia and government have a role to play in accelerating the number of people coming into the whitehat world.”
Feature by Kate O’Flaherty