Why is it that the U.S. Government not only wants to hire hackers but brags about it? And then, why are they surprised when the strategy backfires as it seemingly did with Edward J. Snowden? Christopher Drew and Scott Shane wrote an article “Résumé Shows Leaker Honed Hacking Skills” for the front page of The New York Times of July 5, 2013, which describes how Snowden trained in “ethical hacking” … a contradiction in terms if ever there was one.
Four years ago, when the USG was actively seeking hackers to fill their cyber ranks, I wrote a piece with the title “Homeland Security Hires a Hacker and Brags About It” in which I commented about a Charlie Rose July 29, 2009 interview with Secretary Janet Napolitano, where the latter appeared to be almost gleeful at having co-opted black hats into her Department’s employ. It is clear from the recent events with Snowden that such a strategy might backfire. You can still see the article at https://www.facebook.com/notes/intellitactics/homeland-security-hires-a-hacker-and-brags-about-it/145696338941 In the article, I state that the very hiring of former hackers presents entirely the wrong message to young people who might be confronted with a choice between ethical and nefarious hacking. In an earlier interview with Sunil Bhargava, then CTO of Intellitactics, I had expressed similar views and took issue with Bruce Schneier’s claims at the time that you had to have a criminal mind to be effective in cyber security, see … https://www.facebook.com/notes/intellitactics/intellitactics-challenges-the-idea-of-hiring-hackers/101134223941
In my business and industry activities, I have opposed (and still do) the practice of hiring hackers. On one occasion I refused to engage a highly-rated security firm that had its origins as a well-known group of hackers because of a concern that if, for any reason, a “reformed” hacker took umbrage with his employer or client, we could be at risk of a damaging reaction in some form or other.
It is clear that one cannot guarantee that someone with the requisite technical skills will gain access to sensitive information and sell or give it to a third party for financial gain or to a journalist or website owner for political reasons. But one can certainly reduce the risk by more carefully screening candidates for employment and observing the behavior of those already on staff. Just as you wouldn’t want someone who has been found guilty of homicide as your armed security guard, you shouldn’t seek to hire those already known for illegal hacking activities or those who have been fired for prior dishonest activities. While admittedly there was no evidence of any such incriminating activity about Snowden, his pattern of activities, as described in the above NYT article should have raised red flags. And, as has been discussed in a previous piece, there need to be restrictions on what is made available to those with privileged access.
It is certainly not a good idea to hire those with actual or suspected criminal activity into positions that call for access to sensitive systems and data, even if you are confronted with strong needs for skills possessed by those individuals. It is far better to train trustworthy persons in the requisite skills and knowledge even though that may be expensive. In the long run it will surely turn out to be less costly to take the conservative approach of training those who have shown themselves to be trustworthy and supportive of your organization’s goals than to succumb to the pressure to fill critical positions and hire questionable persons.