In 1995, I participated in a debate with distinguished security expert Robert D. Steele, a vigorous proponent of open source intelligence. We discussed the advisability of hiring criminal hackers. Perhaps readers will find the polemic I published back then of interest today. I’m sure it will provoke vitriolic comments from the criminal hacker community.
Our debate today concerns the proposition that criminal hackers are a national resource and should be cultivated as valuable contributors to national and corporate security.
I utterly reject this proposition.
No, society must not reward criminal behavior. Criminal hackers — those who break the law by intruding into computer systems and networks without authorisation and those who steal services from telecommunications companies — must not be rewarded for their criminality.
If you needed to evaluate the security of your home, which would you hire: a burglar who claimed to be an ex-burglar or a bonded security specialist with no criminal tendencies.
The fundamental problem with hiring criminal hackers is their complete lack of credibility. Criminal hackers believe in lying and cheating as a bedrock of their hobby; they misrepresent themselves to the security system and to the human beings they can trick into revealing privileged information. Their credo is tainted by the video-game fallacy: if it is possible to do something, it must be right. Morality exists for them only as a technical constraint: if you think something is wrong, make it impossible to accomplish.
So if you hire a criminal hacker to review your system security, you will make him (usually him) sign a non-disclosure agreement. Riiiight.
Criminal hackers believe that unless you can force compliance, there is no obligation to comply with agreements and rules. I have met hackers who claim that if they can break into your computer system, it's your fault they broke in — regardless of your efforts to protect yourself. The same mentality is at the basis of every criminal act: stop me if you can.
These are people with no connection to the rest of society. They live in a subculture where dishonesty is the norm, where the rest of society is seen as a bunch of lame-brain jerks who don't know enough to protect ourselves. So what makes you think they will change? If you pay them to hack, why would they deal honestly with you when honesty is foreign to their view of the world? You may as well trust an unrecovered alcoholic or an active drug user. Putting confidential information within reach of the criminal hacker is like putting children within sight of a paedophile.
The next problem is that anyone who has been as anti-social as an expert criminal hacker is subject to blackmail. One of the reasons no one hires convicted felons for work requiring them to be bonded by their employer is that criminals have done bad things — and not necessarily all of it in the public record.
To compromise a person with a tainted background, an enemy can dig up some dirt and threaten to reveal it. Given the moral flabbiness of criminal hackers, it's hard to imagine they'd resist pressure very well. The same problem would arise if you were to hire drug addicts and pushers to work in anti-drug operations; or if you used car thieves to stop car theft; or if you hired embezzlers to write your accounting code. It just doesn't make sense.