The U.S. Army ventured into unfamiliar territory last week, the first day of its âHack the Armyâ bug bounty program that challenges dozens of invited hackers to infiltrate its computer networks and find vulnerabilities in select, public-facing Army websites.
"We're not agile enough to keep up with a number of things that are happening in the tech world and in other places outside the Department of Defense," explained Army Secretary Eric Fanning in announcing the plan in mid-November. "We're looking for new ways of doing business," which includes a break from the past when government avoided working with the hacker community.
Like the Army, enterprises are also realizing that the term hacker is not synonymous with criminal, and that hiring hackers may be the only way to keep up with the real bad guys.
Some 59 percent of executives surveyed by Radware and Merrill Research have either hired or would hire an ex-hacker as a way to inject cybersecurity talent into their workforce. More than a quarter of organizations have been using ex-hackers for more than two years, according to the survey, including so-called white hats or ethical hackers, gray hats â those who skirt the law or ethical standards but not for malicious purposes -- and black hats who operate with malicious intent.
Postings for ethical hacker jobs on the tech career website Dice.com has jumped from 100 jobs in 2013 to over 800 jobs today. âWhile thatâs still a small number considering there are more than 80,000 tech jobs posted on Dice on any given day, itâs clear demand for these professionals is growing rapidly,â says Bob Melk, Dice president.
âHackers are exceptionally skilled in finding the little tiny things that other people forget â those vulnerabilities you donât know yet, things you thought you fixed but not entirely properly,â says Alex Rice, CTO and co-founder of HackerOne, a bug bounty platform with 70,000 hackers in its community. âEvery organization out there has something theyâve missed.âOrganizations are willing to assume the risks in exchange for access to the unique mindset and skillset of a hacker.
âWeâve seen it on the vendor side for years, and now weâre starting to see it on the user side, as well,â says Jon Oltsik, senior principal analyst and the founder of cybersecurity service at Enterprise Strategy Group. âSomeone who hacks for fun or who hacked as a researcher -- those people certainly could be great hires. They make good hunters and forensic investigators. They may not have the certifications, but they have the skills.â
Exclusive research reinforces the cloud's impact on employees, customers, products, and operations.
But hiring someone whoâs had a run-in with the law for hacking has its risks, and companies must weigh those risks against their objectives. âShould you hire felons or criminals regardless of their background? That depends. In some cases, it might make senseâ based on their individual risk assessment, Rice says.
Many famous black hat hackers have gone on to successful, legitimate careers. In 2008, then 18-year-old Owen Walker was charged as a ringleader of an international hacking group that caused more than $20 million in damages. He went on to work in the security division at telecommunications company Telstra. Jeff Moss, founder of Black Hat and DEF CON computer hacking conferences, ran an underground network of hackers ranging from the curious to the criminal. In 2009, he joined the U.S. Homeland Security Advisory Council, and in 2011 was named CSO for ICANN, the agency that oversees domain names. Kevin Mitnick is now Chief Hacking Officer at security awareness training site KnowBe4. He was once on the FBI's Most Wanted list for hacking into 40 major corporations.
Shades of gray
The vast majority of hackers are not felons or criminals, Rice says. âThey fully intend to leverage their skills for good. These people could choose to be criminals if they want to be, but they decided not to -- the same goes for any other type of profession.â
But between the white hats and black hats, how can companies vet all the shades of gray hackers in between? âOne manâs hacker is another manâs security researcher,â says Stu Sjouwerman, founder and CEO of KnowBe4. âJust as one manâs freedom fighter is another manâs terrorist.â
"One manâs hacker is another manâs security researcher.
Stu Sjouwerman, founder and CEO of KnowBe4
On the vendor side, companies usually hire ethical hackers, Oltsik says. âMaybe theyâve skirted with the law, but usually itâs not someone whoâs got a long rap sheet or has been convicted of a crime.â
KnowBe4 employs four white- and gray-hat security researchers. Occasionally, the firm has skirted the law in its efforts to stop attacks â most recently a CEO fraud attack on Sjouwerman himself.
Someone impersonating Sjouwerman sent an email to his comptroller requesting a wire transfer of $40,000. Recognizing the scam immediately, his team went to work to identify the thief and turn the tables in a reverse social engineering scheme.
âWe sent him a phishing email to his AOL account that read, âthere have been too many logins and your AOL is temporarily blocked. Please log in to unblock your account.â He fell for it in a flash,â Sjouwerman recalls.
Five minutes later, Sjouwermanâs team had the attackerâs user name and password of his AOL account. Once inside, they emptied out his AOL account into their own PSD file and examined his work. The operation was netting the scammer about $250,000 a month.
âWe knew that we werenât allowed to do it, but we did anyway,â Sjouwerman says. When it comes to hiring hackers, âthis is the kind of thing that you are easily tempted into if youâre a white hat or gray hat.â
Barriers to hiring hackers
Global CSO Shawn Burke would love to pick the brain of a black hat hacker to find out what his team at Sungard Availability Services isnât considering when they implement security controls in their solutions. âThere is definitely something they could bring to the table,â he says. But that will likely never happen because Sungard provides services to highly regulated financial institutions and government entities with strict requirements on background checks. âOf course, If they havenât gotten caught, I guess it wouldnât be on their resumeâ or background, he adds.
Sungard does employ a handful of white hat hackers who have completed SANS penetration testing and ethical hacking training courses. One employee was involved in âNSA top-secret workâ in his former position. â[Former NSA workers] have seen things that nobody on my team has ever seen,â Burke says. âWhile they canât talk about it â they certainly know how to say, in their own cryptic way, that we should probably posture our controls in a certain kind of fashion.â When choosing these employees, trust is key, Burke adds. âI have to trust the employees to do their job.â
Proceed with caution
Companies that are considering hiring a hacker should take several precautions, these experts say.
First, perform background checks before hiring new security employees, Oltsik says. âThe red flag would be any kind of law enforcement issues or criminal background, a history of malcontentedness or confrontation with other people they work with, HR incidents, multiple jobs â nothing any different from anyone else you would hire.â
If evaluating a gray or black hat who might have a record, âItâs very often referrals and who you know and who they knowâ that gets them the job, Sjouwerman says. âIf you get a verbal [endorsement], thatâs the only somewhat-reliable way to get this done.â
Once hired, put the hacker in roles where they can be successful, but make sure youâre managing and monitoring them, Oltsik says. âThey do have skill sets that can be damaging. With the right amount of oversite, you could quickly devise whether someone was doing things that are suspicious.â
Companies should also consider whether a hacker is a good fit within the organization. Hackers by nature tend to work independently and arenât team oriented, Oltsik says. âIf you have someone who loves breaking systems, but isnât the most social, do you have a role that can fit them where itâs beneficial for you and a good fit for them?â
Hackers as consultants
Companies in doubt about their risk tolerance or culture for hackers may want to consider independent consultants on a project basis, Sjouwerman says.
A vulnerability disclosure company, such as HackerOne, connects businesses with security researchers to resolve their security vulnerabilities. HackerOneâs network of 70,000 hackers have earned more than $10 million in bug bounty rewards for solving companiesâ problems. The hackers, who range from teens to highly specialized academics to security pentesters with day jobs, are vetted through a reputation system that tracks what the individuals have done when theyâve identified vulnerabilities and reported them, Rice says. The framework lets people practice their hacking skills âin a way that demonstrates their good intent,â Rice says. Proven ethical hackers can then be invited to work on privileged projects, such as the âHack the Armyâ event.
âOrganizations realize that the only way to get ahead of criminals is to work with those with the skills but none of the [criminal] motivation,â Rice says. âIt does take one to know one.â