Recruiting cyber criminals – It’s often said that a career in crime doesn’t pay, and that ultimately you will end up worse off than those who choose the legitimate life. In the world of cyber security and being a hacker, however, you could be forgiven for thinking that these lines can be a little blurred.
It seems to be every week that we’re hearing about the latest big data breach, with companies hurrying to cover up their cyber protection inadequacies while simultaneously potentially haemorrhaging cash in fines as well as suffering reputational loss and other collateral damages. Historically, we always seem to discover that the perpetrator is a young, often solo hacker armed with little more than a laptop and an extensive knowledge of coding, like these people. And there are a lot of them.
What we also seem to see is that these hackers, occasionally after a lawsuit, a fine and maybe a brief stint in prison, are prime recruitment targets for large multinational companies – even stretching into governments. The reasons why this has been the case are very clear, even if they reflect an unusual level of leniency in terms of the punitive measures associated with other crimes – they want to know what the weaknesses were that the hacker originally exploited so they can plug the leak. Learning from the cyber criminals is often the best way to protect yourself.
This insider information concept can also work the other way to favour the hacker. You might remember Albert Gonzalez from our feature on biggest worldwide hacks as being the man responsible for, among a plethora of other misdemeanours, hacking into American clothing giant TJX. While building his hacking empire, he was also allegedly drawing a cash salary of $75,000 from the Secret Service as an undercover informant and simultaneously used this insider knowledge to avoid detection himself. Ultimately, it didn’t pay off – he was arrested in 2008 and sentenced to 20 years in prison.
So ultimately, when budding cyber enthusiasts hear of the pursuits of people like those lone young keyboard warriors and icons like Gonzalez (minus the ending) going on to have big careers, you can appreciate why they might feel they need to be a black hat hacker in order to secure a lucrative job.
But do you need to be a malicious hacker in order to land lucrative positions? Perhaps this was the case a few years ago when hacking was growing and only understood by a few elite, but there are now a lot more opportunities to do it legitimately, with companies and educational institutions finally waking up to the staggering need for cyber professionals, as highlighted in this CNBC article. It talks about the increase interest in the cyber profession, with student groups being launched at Stanford University to teach students “practical hacking, computer security and cyberpolicy analysis.”
And if you have a degree from a prestigious university like Stanford, taught by professors like Gene Spafford whose CV includes advising several government agencies such as the NSA, do you really need to risk criminal punishment by being a black hat when you could be a white hat?
In some cases, those lone crusaders have had their misdeeds forgiven, but that wasn’t the case for Albert Gonzalez, and that’s definitely something to bear in mind.