Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Weighing the risk of hiring hackers

Bruce Schneier and Marcus Ranum debate the risks associated with hiring hackers.

Any essay on hiring hackers quickly gets bogged down in definitions. What is a hacker, and how is he different from a cracker? I have my own definitions, but I'd rather define the issue more specifically: Would you hire someone convicted of a computer crime to fill a position of trust in your computer network? Or, more generally, would you hire someone convicted of a crime for a job related to that crime?

The answer, of course, is "it depends." It depends on the specifics of the crime. It depends on the ethics involved. It depends on the recidivism rate of the type of criminal. It depends a whole lot on the individual.

Would you hire a convicted pedophile to work at a day care center? Would you hire Bernie Madoff to manage your investment fund? The answer is almost certainly no to those two -- but you might hire a convicted bank robber to consult on bank security. You might hire someone who was convicted of false advertising to write ad copy for your next marketing campaign. And you might hire someone who ran a chop shop to fix your car. It depends on the person and the crime.

It can get even murkier. Would you hire a CIA-trained assassin to be a bodyguard? Would you put a general who led a successful attack in charge of defense? What if they were both convicted of crimes in whatever country they were operating in? There are different legal and ethical issues, to be sure, but in both cases the people learned a certain set of skills regarding offense that could be transferable to defense.

Which brings us back to computers. Hacking is primarily a mindset: a way of thinking about security. Its primary focus is in attacking systems, but it's invaluable to the defense of those systems as well. Because computer systems are so complex, defending them often requires people who can think like attackers.

Admittedly, there's a difference between thinking like an attacker and acting like a criminal, and between researching vulnerabilities in fielded systems and exploiting those vulnerabilities for personal gain. But there is a huge variability in computer crime convictions, and -- at least in the early days -- many hacking convictions were unjust and unfair. And there's also a difference between someone's behavior as a teenager and his behavior later in life. Additionally, there might very well be a difference between someone's behavior before and after a hacking conviction. It all depends on the person.

An employer's goal should be to hire moral and ethical people with the skill set required to do the job. And while a hacking conviction is certainly a mark against a person, it isn't always grounds for complete non-consideration.

"We don't hire hackers" and "we don't hire felons" are coarse generalizations, in the same way that "we only hire people with this or that security certification" is. They work -- you're less likely to hire the wrong person if you follow them -- but they're both coarse and flawed. Just as all potential employees with certifications aren't automatically good hires, all potential employees with hacking convictions aren't automatically bad hires. Sure, it's easier to hire people based on things you can learn from checkboxes, but you won't get the best employees that way. It's far better to look at the individual, and put those check boxes into context. But we don't always have time to do that.

Last winter, a Minneapolis attorney who works to get felons a fair shake after they served their time told of a sign he saw: "Snow shovelers wanted. Felons need not apply." It's not good for society if felons who have served their time can't even get jobs shoveling snow.

Bruce Schneier is chief security technology officer of BT Global Services and the author of Schneier on Security. For more information, visit his website at www.schneier.com.

Counterpoint: Marcus Ranum

Like Bruce, I've got to say "it depends" -- but I definitely lean more toward "no" for a simple reason: it's harder to explain what happened if something goes wrong.

If the time comes to start second-guessing a decision, you're always going to be vulnerable to accusations of "You hired them, even though you knew they had a criminal record." Remember Arthur Andersen, the document shredding scandal, and how quickly they lost their customer-base? The reason a lot of companies dropped it like a hot potato was simply because their executive teams knew it was easier and faster to answer "We changed auditors" on a shareholder conference call than explain how and why they still maintained a comfort level with the firm.

A response that takes two seconds is better (in terms of time and effort) than one that might result in a general discussion consuming several minutes. It seems to me that a lot of decisions get made based on such simple, conservative, thinking, and it's hard for me to argue with it; save your time and move on. I've argued in favor of this principle many times in security: It's easier to do nothing than it is to safely do something you know is dangerous.

The real trick comes when you're sure inaction carries its own dangers. In the case of hiring a hacker, it comes down to whether you believe the person in question has extraordinary skills and offers something crucial -- an argument that is fairly difficult to make because the talent pool in information security and computer programming has become so large. I guess I must be one of those heartless capitalists who believe that, deep down, we're all pretty much interchangeable, albeit with a greater or lesser gain or loss in efficiency.

It's the question of "crucial skills" that really fascinates me. We hear a lot about "thinking like a hacker," but I think that's largely nonsense -- it's really just a matter of "thinking like an engineer" and performing an in-line failure analysis along with your design analysis. Other than that, there's a lot of detailed knowledge that's application- and technology-specific; consequently, it has a fairly short lifespan as a value proposition.

Perhaps, somewhere out there, is the greatest VAX/VMS hacker ever, but I doubt he's very busy anymore -- what we are interested in is not the encyclopedic knowledge of every flaw in a dead operating system, but rather the thought process by which he got there. And, to be completely honest with you, that process is nothing special. It's simply a matter of learning how people make mistakes over and over, and applying that understanding to new things as they come along.

Making mistakes over and over is also something I'd look closely for, if I were considering hiring an ex-hacker. I'd look for signs that he or she had learned something from the experience of getting caught (if he had been caught) and what, exactly, that was. With some criminals, "don't get caught" seems to be the primary lesson; if that was what I heard on a job interview I'd try to get that person out the door as quickly and gently as possible.

Ultimately, I suppose the question boils down to whether we're looking at a pattern of errors of judgment, or a single important life-lesson. Society wants to understand and forgive the lessons, while looking askance at the people who appear to be incapable of learning from experience. That's why I have always been a little surprised at the popularity of some ex-hackers who are still riding on the coattails of their own sociopathy. Are they trying to convince us that stubbornness is a virtue? After the first couple of times you get hunted down and arrested, it's not independence -- it's refusal to get a clue.

Would I trust a convicted felon to shovel snow? That's a more complicated question than it seems, because nobody's going to shovel snow with a shovel, anymore. So really, the question is whether I'd trust a convicted felon with an expensive snow-blower or an expensive pickup truck rigged for plowing. And the answer is "probably not"--especially if I were being expected to make a responsible decision for my business rather than risking my own personal gear.

The answer would be "certainly not" if the conviction was for vehicle theft, but I suppose I might risk it if all the prospective shoveler had done was forge a few Renaissance paintings. I'll note that the closest I've come to hiring hackers was contracting out some vulnerability analysis work to experts in that arena because we didn't have time to build the knowledge base in-house. Did I trust them? Of course, or I wouldn't have done it. But I did get grilled on the topic by my board of directors; and, fortunately, was able to explain a good idea rather than having to defend a mistake.

Marcus Ranum is the CSO of Tenable Network Security and is a well-known security technology innovator, teacher and speaker. For more information, visit his website at www.ranum.com.

Dig Deeper on Information security policies, procedures and guidelines