With all the recent headlines about data breaches, should your organization hire a “thief to catch a thief?” That’s a question Kevin Mitnick, sitting near the top of the hacker hall-of-fame for famous hack sprees in decades past, has been contemplating. He’s not alone – many companies are wondering the same thing. There is a sort of desperation to stop one’s own organization being paraded out in the headlines as the next in a series of “also hacked” companies who have to do the media walk of shame, reporting what happened and distributing blame (and possibly legal correspondence).
Back in the day, when scary looking agents scooped up Kevin at his apartment and scooted him off to an extended stay in the correctional system, there was a high-spirited zeal to strike back at these new-fangled hackers, and he was the poster child. The sentiment (exacerbated by various media) included a mix of frequent irrational fear mongering , along with a conspicuous void of accurate technical analysis. The public was grasping for a simple solution to complex multi-faceted issues (sound familiar?). Now he claims he’s reformed, done his time (and then some), and paid his debt to society, but would you trust him (or any similarly situated reformed hacker)?
In a recent interview, a related question was posed to Kevin that may help to shed some light: “This question is really a question of balance. Does the prospective employee (former hacker) bring enough knowledge, experience, or skills that outweighs the risks associated with hiring that person? You have to closely examine the background, values, beliefs, goals, and attitude, to gauge the risk to the business. In some cases, the person can be hired to perform a service that is a low risk or even risk free. I firmly believe that once a person has paid their debt to society for past transgressions, that individual should be free to pursue legitimate employment opportunities that benefit society.”
So is your organization ready to wade into the waters looking for a reformed hacker? In the same way it’s a bad idea to have a mechanic blindly replace car parts without a plan and analysis already in place (and hopefully a clearly defined problem), hiring a reformed hacker as a “magic bullet” doesn’t preclude your organization from needing a more complete analysis and implementation of a layered security stance, nor should it. That said, an organization may feel the risk/reward of having an employee with significant “street smarts” might make sense. It seems to be relatively popular among government law enforcement organizations. Organizations who have hired reformed hackers have been seeing good results. It may be that the potential scrutiny toward the reformed hacker/employee for being on their best behavior becomes a self-fulfilling prophecy. In any case, there seems to be a significant demand in the marketplace currently, so it might be something to keep an eye on.
ESET Research Systems Manager