With a lack of qualified talent and the increasing threat of breach upon them, is it any wonder that organizations turn to “the dark side?” Or, the reformed dark side?
Looking to boost their IT security support or just find vulnerabilities and potential attack vectors they may have missed, some companies are choosing to pull from the pool of former black- or gray-hat hackers to fill out their own cybersecurity ranks, or to handle one-off projects or conduct penetration testing on a contracted basis.
“I have been in the pen testing world for 16 years,” says Katie Moussouris, founder of Luta Security, which matches hacker talent with government agencies and corporations. “This kind of conversion from people who have been caught doing some youthful indiscretion has been happening in the penetration testing world for a long time.”
The premise is simple: Experienced cybersecurity professionals with pristine records are becoming more difficult to come by, and those hackers who have plied their trade in hacktivism or criminal affairs in the past might be able to bring a unique and more street-wise perspective to legitimate IT security work. But just like films that portray bad-guys-gone-good (for example, “Catch Me If You Can”), “The question becomes, will they, or can they change back and exhibit their true initial behavior?” according to Morey Haber, vice president of technology for BeyondTrust. “We have all heard the clichés: ‘people never change’ and ‘old habits die hard’. Is this true for hackers who have changed hats?”
In August, Symantec captured industry attention when it began reaching out more aggressively to the independent hacker community with Website Security team, hiring on former HR Automation CEO Tarah Wheeler to lead the effort. Over the years, a number of “hacker for hire” computer security firms and services have emerged, catering to organizations’ (as well as individuals’) need for help from legitimate hackers. Hacker’s List promises access to a database of “ethical hackers for hire”; 1990s-era hacker collective L0pht Heavy Industries merged with startup @stake in 2000, before the combined computer services company was acquired by Symantec in 2004. Like Luta Security and other hackers-for-hire providers, Bugcrowd provides “bug bounty solutions and [trusted] hackers on-demand,” to corporate clients including Tesla, Pinterest, and Western Union, according to the company’s web site. [Bugcrowd, Symantec, Western Union, and Pinterest denied multiple requests for interview for this article.]
But the definition of what constitutes a good or ethical hacker versus a “black hat” might be blurring. Chris Wysopal, chief technology officer for VeraCode and a former member of L0pht, believes prior “association with hacker groups or the more underground hacker cons isn’t disqualifying” for the person to be later hired by a legitimate organization.
“The dividing line is whether or not the person was actually convicted of a crime,” Wysopal says. “In the past employers could skip over anyone questionable but the demand for security experts is so high now. People who have been convicted find a hard time getting any job let alone one related to computer security.” And, in situations where organizations do hire black hat hackers, he says that they are often in a training or advisory role and not hands-on securing or testing networks.
But the practice is not without controversy, or risk. For example, Secure Trading, a U.K.-based payments and cybersecurity company, drew criticism when it announced in March 2016 it had appointed Mustafa Al-Bassam, a former LulzSec hacker known as Tflow, as a security advisor. In 2011, at the age of 16, Al-Bassam helped hack the servers of HBGaryFederal, and leaked 70,000 private emails, for which he was arrested and banned from Internet use for two years.
“Any company that has sensitive data may make it impossible to hire former black hat hackers, especially those who have been convicted of those crimes,” says Ryan O’Leary, vice president for the threat research center at WhiteHat Security. “Doing business with virtually anyone with sensitive data typically requires at least a thorough background check.” O’Leary admits that the lack of qualified white hat hackers is definitely one reason a company might hire “someone with a darker past, as well as the ‘first hand’ experience these people have.”
“They’re able to think like a hacker, because they are one,” O’Leary says. “They can find the critical vulnerabilities that they would exploit and raise those as major issues for the company.”
Many companies and government agencies have worked around this issue by instituting bug-bounty programs – open or invitation-only initiatives where hackers of varying stripes are rewarded for finding potential vulnerabilities in a company’s own systems or its products. Square, Google, are AT&T among the increasing number of companies that have launched such programs. At Black Hat in August, Apple Inc. captured headlines by offering its first big bounty program, with rewards of up to $200,000. This spring [April 18-May12], HackerOne, a bug bounty platform created by security leaders who previously worked at Facebook, Microsoft and Google, spearheaded the “Hack the Pentagon” initiative for the U.S. Department of Defense Digital Service, the first bug bounty program in the history of the federal government.
Moussouris was chief policy officer at HackerOne during Hack the Pentagon, and also developed big bounty programs for Microsoft and Symantec. “The bug bounty model offers a way to get the benefit [of black-hat experience] without having to hire hackers on, if your organization is risk-averse, or you cannot hire felons,” she says. “This allows you to bring in a person who might not jibe with your hiring policies.” More and more companies are conducting these vulnerability programs (or upping the rewards on existing programs) as a way to help shore up defenses, without having to hire any more staff, whether they have a checkered past or not. “We’re definitely seeing an increase in this defense market for vulnerability information,” she says. “And it provides more choices for researchers and hackers to use their skill set.”
Wysopal underscores the idea that as breaches become more pervasive and pernicious, organizations cannot ignore the experience and benefits hackers bring to the table. “People who understand intrusions and how attackers operate are important in all aspects of cybersecurity whether it is on the protection side designing secure systems, testing software for vulnerabilities, or on the response side trying to detect intrusions and cleaning them up,” Wysopal says. “It is hard to learn these skills without operating like an attacker. This can be done in a lab environment, but some of the most skilled have practiced on live networks with or without permission of the network owner.”
But not everyone subscribes to the idea of the reformed black-hat hacker. Phyllis Schneck, deputy under secretary for cybersecurity and communications for the U.S. Department of Homeland Security, “We have plenty of top talent out there without using [someone] with a criminal record. We are looking for integrity, not a criminal mindset.”
While Schneck, who was chief technology officer for the global public sector at McAfee Inc., says that she has heard of companies in the private sector turning to various kinds of hacker help, she says that the “trust” necessary to work in the systems of the federal agencies is too sensitive to allow IT security experts with a criminal background in. “We’re dealing with the well-being of our economy and our country,” she says. “We want people who have not executed such bad judgment.” Instead, Schneck says, her agency is recruiting harder from colleges, and spends more time promoting the need for cybersecurity talent at high schools and junior high schools.
And Haber also point out that, “while I personally believe it possible to change sides and be true to your new cause, there will always be a lingering doubt of [a former black hat’s] allegiance. Insider threats are very real, and no one should be trusted all of the time.”
So where does that leave organizations that do want to tap the expertise of talented hackers, who might not have the most pristine background?
First, you need to understand your business and end game scenario that could occur if your most sensitive data was leaked, according to Haber. “If your most sensitive data is credit information, a breach is not an end game,” he says. “It will make the news, you may lose some clients, you may pay a fine. But the odds of your business being out of business is relatively low. Target, Twitter, Yahoo, and even the IRS are perfect examples.”
On the other hand, Haber says that if your business “contains military trade secrets for building a critical piece of weaponry, a breach could certainly put you out of business and may also even land key stakeholders in prison.” He recommends organizations step back and gauge the sensitivity of the information being protected and the possible outcome in the case of a leak.
Wysopal agrees that there is, of course, “a risk is if [the employee] become disgruntled in their job. They might turn on their employer and become destructive or steal documents.” But, he points out that the risk of hiring a former black-hat also depends on what the position entails. For a customer-facing position, a hacker with a criminal past would not be a good fit, “as customers likely won’t trust the employee and the whole organization if they find out the person’s background.” However, for internal positions. Wysopal recommends considering specifically “what the person had done and how much time had gone by to determine the risk they would perform illegal behavior on the job and weigh that against how skilled they are.”
As Moussouris points out, “Unfortunately, any contractor could potentially pull a Snowden.”