The U.S. Army ventured into unfamiliar territory last week, the first day of its “Hack the Army” bug bounty program that challenges dozens of invited hackers to infiltrate its computer networks and find vulnerabilities in select, public-facing Army websites.
“We’re not agile enough to keep up with a number of things that are happening in the tech world and in other places outside the Department of Defense,” explained Army Secretary Eric Fanning in announcing the plan in mid-November. “We’re looking for new ways of doing business,” which includes a break from the past when government avoided working with the hacker community.
Like the Army, enterprises are also realizing that the term hacker is not synonymous with criminal, and that hiring hackers may be the only way to keep up with the real bad guys.
Some 59 percent of executives surveyed by Radware and Merrill Research have either hired or would hire an ex-hacker as a way to inject cybersecurity talent into their workforce. More than a quarter of organizations have been using ex-hackers for more than two years, according to the survey, including so-called white hats or ethical hackers, gray hats – those who skirt the law or ethical standards but not for malicious purposes — and black hats who operate with malicious intent.
[ ALSO ON CSO: 7 steps to start a bug bounty program ]
Postings for ethical hacker jobs on the tech career website Dice.com has jumped from 100 jobs in 2013 to over 800 jobs today. “While that’s still a small number considering there are more than 80,000 tech jobs posted on Dice on any given day, it’s clear demand for these professionals is growing rapidly,” says Bob Melk, Dice president.
“Hackers are exceptionally skilled in finding the little tiny things that other people forget – those vulnerabilities you don’t know yet, things you thought you fixed but not entirely properly,” says Alex Rice, CTO and co-founder of HackerOne, a bug bounty platform with 70,000 hackers in its community. “Every organization out there has something they’ve missed.”Organizations are willing to assume the risks in exchange for access to the unique mindset and skillset of a hacker.
“We’ve seen it on the vendor side for years, and now we’re starting to see it on the user side, as well,” says Jon Oltsik, senior principal analyst and the founder of cybersecurity service at Enterprise Strategy Group. “Someone who hacks for fun or who hacked as a researcher — those people certainly could be great hires. They make good hunters and forensic investigators. They may not have the certifications, but they have the skills.”
But hiring someone who’s had a run-in with the law for hacking has its risks, and companies must weigh those risks against their objectives. “Should you hire felons or criminals regardless of their background? That depends. In some cases, it might make sense” based on their individual risk assessment, Rice says.
Many famous black hat hackers have gone on to successful, legitimate careers. In 2008, then 18-year-old Owen Walker was charged as a ringleader of an international hacking group that caused more than $20 million in damages. He went on to work in the security division at telecommunications company Telstra. Jeff Moss, founder of Black Hat and DEF CON computer hacking conferences, ran an underground network of hackers ranging from the curious to the criminal. In 2009, he joined the U.S. Homeland Security Advisory Council, and in 2011 was named CSO for ICANN, the agency that oversees domain names. Kevin Mitnick is now Chief Hacking Officer at security awareness training site KnowBe4. He was once on the FBI’s Most Wanted list for hacking into 40 major corporations.
Shades of gray
The vast majority of hackers are not felons or criminals, Rice says. “They fully intend to leverage their skills for good. These people could choose to be criminals if they want to be, but they decided not to — the same goes for any other type of profession.”
But between the white hats and black hats, how can companies vet all the shades of gray hackers in between? “One man’s hacker is another man’s security researcher,” says Stu Sjouwerman, founder and CEO of KnowBe4. “Just as one man’s freedom fighter is another man’s terrorist.”
Stu Sjouwerman, founder and CEO of KnowBe4
On the vendor side, companies usually hire ethical hackers, Oltsik says. “Maybe they’ve skirted with the law, but usually it’s not someone who’s got a long rap sheet or has been convicted of a crime.”
KnowBe4 employs four white- and gray-hat security researchers. Occasionally, the firm has skirted the law in its efforts to stop attacks – most recently a CEO fraud attack on Sjouwerman himself.
Someone impersonating Sjouwerman sent an email to his comptroller requesting a wire transfer of $40,000. Recognizing the scam immediately, his team went to work to identify the thief and turn the tables in a reverse social engineering scheme.
“We sent him a phishing email to his AOL account that read, ‘there have been too many logins and your AOL is temporarily blocked. Please log in to unblock your account.’ He fell for it in a flash,” Sjouwerman recalls.
Five minutes later, Sjouwerman’s team had the attacker’s user name and password of his AOL account. Once inside, they emptied out his AOL account into their own PSD file and examined his work. The operation was netting the scammer about $250,000 a month.
“We knew that we weren’t allowed to do it, but we did anyway,” Sjouwerman says. When it comes to hiring hackers, “this is the kind of thing that you are easily tempted into if you’re a white hat or gray hat.”
Barriers to hiring hackers
Global CSO Shawn Burke would love to pick the brain of a black hat hacker to find out what his team at Sungard Availability Services isn’t considering when they implement security controls in their solutions. “There is definitely something they could bring to the table,” he says. But that will likely never happen because Sungard provides services to highly regulated financial institutions and government entities with strict requirements on background checks. “Of course, If they haven’t gotten caught, I guess it wouldn’t be on their resume” or background, he adds.
[ RELATED: How (and why) to start a bug bounty program ]
Sungard does employ a handful of white hat hackers who have completed SANS penetration testing and ethical hacking training courses. One employee was involved in “NSA top-secret work” in his former position. “[Former NSA workers] have seen things that nobody on my team has ever seen,” Burke says. “While they can’t talk about it – they certainly know how to say, in their own cryptic way, that we should probably posture our controls in a certain kind of fashion.” When choosing these employees, trust is key, Burke adds. “I have to trust the employees to do their job.”
Proceed with caution
Companies that are considering hiring a hacker should take several precautions, these experts say.
First, perform background checks before hiring new security employees, Oltsik says. “The red flag would be any kind of law enforcement issues or criminal background, a history of malcontentedness or confrontation with other people they work with, HR incidents, multiple jobs – nothing any different from anyone else you would hire.”
If evaluating a gray or black hat who might have a record, “It’s very often referrals and who you know and who they know” that gets them the job, Sjouwerman says. “If you get a verbal [endorsement], that’s the only somewhat-reliable way to get this done.”
Once hired, put the hacker in roles where they can be successful, but make sure you’re managing and monitoring them, Oltsik says. “They do have skill sets that can be damaging. With the right amount of oversite, you could quickly devise whether someone was doing things that are suspicious.”
Companies should also consider whether a hacker is a good fit within the organization. Hackers by nature tend to work independently and aren’t team oriented, Oltsik says. “If you have someone who loves breaking systems, but isn’t the most social, do you have a role that can fit them where it’s beneficial for you and a good fit for them?”
Hackers as consultants
Companies in doubt about their risk tolerance or culture for hackers may want to consider independent consultants on a project basis, Sjouwerman says.
A vulnerability disclosure company, such as HackerOne, connects businesses with security researchers to resolve their security vulnerabilities. HackerOne’s network of 70,000 hackers have earned more than $10 million in bug bounty rewards for solving companies’ problems. The hackers, who range from teens to highly specialized academics to security pentesters with day jobs, are vetted through a reputation system that tracks what the individuals have done when they’ve identified vulnerabilities and reported them, Rice says. The framework lets people practice their hacking skills “in a way that demonstrates their good intent,” Rice says. Proven ethical hackers can then be invited to work on privileged projects, such as the “Hack the Army” event.
“Organizations realize that the only way to get ahead of criminals is to work with those with the skills but none of the [criminal] motivation,” Rice says. “It does take one to know one.”