Should tech companies hire convicted cyber hackers?

An student issue analysis for MIS41240 at University College Dublin.

Written by James Veale, Summer 2019. Dublin.

The movie ‘Catch Me If You Can’ is a depiction of the real life story of Frank Abagnale Jr., one of the most successful “con men” in history. Abagnale, through the use of deceit and sheer cunningness, lived the life of a pilot, doctor and lawyer. His primary technique that fuelled this lifestyle was the defrauding of banks using sophisticated fake cheques. Abagnale was eventually caught and sent to jail. However, in the movie (and real life) an interesting development occurs when detective Carl Hanratty catches Abagnale, who decides to utilise the very specific skills of Abagnale by offering him a job in the FBI’s fraudulent cheque investigation unit, thus sparing Abagnale from jail time.

One could argue that this was a smart and honourable act by Hanratty, for rather than punishing Abagnale he is putting to work a very specific and useful set of skills. The caught now catches the criminals: an evil purified. But the question remains: was his act socially, morally and ethically correct? After all, Abagnale is a convicted criminal.

I believe tech companies should hire convicted hackers, but with guidelines to reduce risk

The above illustration links to a similar dilemma facing companies operating in the modern cyber world. The threat of organisational cyber-attacks is more prevalent than ever. According to research conducted by Hiscox, the number of firms reporting cyber incidents rose from 45% in 2018 to 61% in 2019. Furthermore, the mean financial loss associated with such attacks has risen dramatically, from $229,000 to $369,000 over the same period, an increase of 61%. Enterprises of all shape and sizes that have digital operations are susceptible to such attacks, with the recent WhatsApp and British Airways cyber-attacks illustrating that even the biggest companies are at risk.

Cyber-attack protections are readily available, with companies like McAfee and Cisco offering solutions such as intrusion prevention and detection systems. These serve their purpose, but it must be noted that there is no status quo in the cyber world. Attack threats and techniques are constantly evolving. Given this evolving landscape, maybe there is another approach organisations should explore: hiring convicted cyber hackers for cyber protection.

The rationale behind such thinking is certainly logical. The value an ex-hackercan bring to an organisation is tremendous, especially the very particular set of skills learned from ‘playing the game’. Most importantly, they have a hacker mindset, which enables them to think, and therefore act, like a hacker. As a by-product of having had experiences in hacker environments, they possess a high degree of implicit hacking knowledge. Such knowledge facilitates the identification of hacking trends, threats and malicious content so as to keep the organisation ahead of evolving threats.

Some companies have followed such rationale and have already hired hackers. For example, Facebook hired George Hotz in 2011,who gained global attention by (1) hacking iPhones so as to crack Apple’s carrier-locking scheme and releasing the first software jailbreak for the iPhone 3GS in 2008 and (2) hacking Sony’s PlayStation 3 and subsequently being sued by Sony. It is important to note that this is not a lone case, as several companies have already hired convicted hackers, including exqSoft Solutions, TelstraClear and Apple.

Undoubtedly the knowledge, skill and expertise convicted hackers have makes them valuable assets and shrewd acquisitions for organizations. But a question remains: should organizations hire cyber hackers?

There are certainly risks for undertaking such an action. One risk is negative PR, since media outlets may spin the hiring of hackers as risky and harmful to shareholder value. Such a damning statement could potentially be detrimental in terms of organisational brand worth, morale and share prices. Furthermore, considering an organisation is inherently a pluralist, political entity (Walsham, 1993), political unrest among employees may follow. Consequential pushback of such unrest may be a drop in employee productivity and strikes. Finally, there is always the risk that the hacker will hack once more.

To get an industry leader’s view on the matter, I contacted a high level figure at a multinational consulting firm. The respondent stated that all information, including role, context, skills, experience etc, should be investigated and deliberation upon prior to a decision being made, much like any recruitment process. This suggests that, at least in the case of this one organization, hiring convicted hackers is a real possibility.

It is my belief that hiring a convicted hacker is a situational one. Critically, there is huge demand for such skills, as seen by research conducted by (ISC)2, who demonstrate that there is a shortage of 3 million cybersecurity professionals globally.

Considering the arguments I have made, I believe tech companies should hire convicted hackers, but with guidelines to reduce risk.

First, I believe companies must scrutinise the morality of these hackers to determine the reasons and objectives for their criminal actions. Was their attack a backlash to globalisation or corruption? Was their action intentionally malicious, or a means of portraying a belief or a stance of significance? Second, the individual should be vetted to ensure that he or she is safe to work in the company, in the sense of being criminally reformed. Finally, former hackers should be monitored by a fellow cybersecurity specialists until certain benchmarks have been hit or a probationary period of time has elapsed. These suggestions are not exhaustive but may serve as a benchmark for companies when undertaking such an activity.