Should we hire criminal hackers as security experts? This is the second of a two-part attack on the idea from a 1995 debate in which I participated.
* * *
On a broader scale, consider the message you would be giving some thirteen year old proto-hacker. These kids, like most kids, are tremendously susceptible to peer pressure. They already find criminal hacking attractive because it's viewed as today's counter-culture — something fairly harmless (compared with, say, dealing drugs) but exciting because it's illegal. Now imagine that the older creeps can announce that they've just been hired by The Man (i.e., authority figures) to work in counter-intelligence, snooping in foreign companies' files for money (you don't imagine they'd keep it quiet, do you?). Oh man — not only is criminal hacking glittering with the allure of the forbidden now, but you can hope to earn money with it from the government!
The children and emotionally-arrested adolescents involved in criminal hacking already have a love/hate attitude towards The Man. Many of them claim that they'd like to work for security firms when (if) they grow up. This myth that criminal hacking is a reasonable basis for work in security would become even more pernicious if it were known that more hackers had in fact been solicited and used by government or corporate organizations. Using such people would reinforce the attractiveness of criminality.
Consider the outcry if the military in a democracy actively solicited murderers to be soldiers. The great challenge of military training is to temper savagery with honor; to provide a moral framework within which war is viewed as undesirable, killing as regrettable. A soldier who lies is a stain on his unit’s honor. A soldier who steals is a wretch who deserves expulsion. And a soldier who breaks his word is a traitor to his country. And so how shall we deal with people whose entire way of life is to lie and to steal and to cheat?
I say they're unfit to serve.
At the most fundamental level of all, the end does not justify the means. To use criminals, to honor them, to praise them, to pay them: this would be yet another blow against morality and decency. And it would be a blow without even the excuse of necessity. We do not need criminal hackers. Information security can be strengthened using the skills of honest people — hackers, if you like, but not criminal hackers. We should be encouraging children who enjoy using computers to learn more, to learn deeper. We need school teachers who have more than merely a superficial knowledge of the user interface: we need teachers with a thorough grounding in computer science. We need books for children to teach operating systems fundamentals and database theory in an enjoyable, challenging way; we need recognition for the gifted — support for the oddballs who prefer trackballs to basketballs. We need donations of computer equipment and texts from companies who see that helping kids learn is a wise investment in everyone's future. Why not donate used mainframes and servers to help kids learn about operating systems and networks? Let's give brilliant kids with a knack for security summer jobs so they can use their skills to help society instead of feeling marginalized.
What we don't need is reward for dishonesty and praise for sociopathy.
In the Hacker Debate at the InfoWarCon 95, someone asked me if I recommended blackballing all hackers who engaged in illegal activity in their adolescence. I answered that no, there should not be a lifetime ban on criminal hackers — as long as they show that they understand their moral and legal obligations to society and their employers or clients. If a person shows by their actions that they have matured and now repudiate their former lifestyle, by all means give them a chance. Keep them under supervision, avoid putting them in temptation's way, and be on your guard — but by all means welcome recovering hackers back to society.
Just don't solicit people because they are or were criminal hackers.
This story, "The Fruit of the Poisoned Tree" was originally published by Network World.