I believe that most people in the industry know in their gut that hiring a hacker, specifically someone who breaks into systems and commits other computer related crimes, is wrong. Unfortunately, many others don't really understand the nature of computer crimes and think it's OK to hire a felon or would be felon.
The basic issue is that most people believe that hackers have some specialized knowledge unique to criminals. If you don't understand computers, surely someone who can compromise them must be a computer genius. Clearly, just because you can stab a person, it doesn't mean you're qualified to be a surgeon.
Can surgeons more efficiently kill people? Probably so. But they don't, because they are generally good, talented people who don't commit crimes. There could be a genius, psychotic doctor out there like a Hannibal Lechter, but they are very few and far between -- if they exist at all.
Computers are the same way. Just because you can stab (a.k.a. hack) a computer, it doesn't mean you know how to repair it. An expert social engineer has no clue as to how to implement an organization-wide awareness program. A person who can download an IIS exploit usually has no clue how to patch that problem or fix a SQL vulnerability.
For some reason though, the general public, and even some people in information security, buy into the myth that hackers are computer geniuses because someone leaves default passwords on critical servers or something similar. They can kill computers so they must make a brilliant computer security specialist. That just isn't so.
The mere act of breaking into a computer without permission is a crime. It creates risk of damage. Even if the hacker tells you everything he did, you still have to assume the worst and reinstall all systems from scratch. Also, under California's SB 1386 regulation, enterprises must inform California residents if certain personally identifiable information is compromised while in an unencrypted form. That and the resulting effects can cost millions of dollars.
Now for the biggest crock of garbage out there; the concept of self-proclaimed "reformed" hackers. Reformation is a state of mind, not a proclamation. That a person hasn't been arrested for a crime since his release doesn't mean he's reformed. Does he consistently take full responsibility for his crimes and avoid further temptation? Does he admit what he did was a crime in the first place or call it a teenage hobby? Does he blame others for his arrest or say he shouldn't have been arrested?
There is a difference between a teenager who is scared straight, and a repeat, career criminal. However you have to be very careful, as criminals tend to hide their complete records, and most of their crimes don't even make it to their record.
I want to reiterate though that ethical considerations are secondary to the fact that they don't have the basic skills of trained professionals. Hire resumes and experience, not criminal records and felonies. The Hannibal Lechters of computers are few and far between. Show me a felon and I can show you 30 professionals who are as good, if not better. Admittedly there are some professionals who are criminals or incompetent, however it doesn't mean you accept proven criminals.
Would you want Hannibal Lechter to operate on you? He's probably a great surgeon, but he might be tempted to grab a kidney for a quick snack.
About the author
Ira Winkler, CISSP, CISM is chief security architect at Hewlett-Packard. He is also author of the forthcoming book, Spies Among Us (McGraw-Hill).
FOR MORE INFORMATION:
- SearchSecurity editors Mia Shopis and Crystal Ferraro face-off on the topic of hiring hackers.
- Ira Winkler further dispels the hacker myth in this Guest Commentary Q&A.