Hiring Felons to do Computer Security?
Posted on October 13th, 2009 in Computer Security, Movies, Television | 3 Comments »
Last week Bruce Schneier commented on a story about a prison that let an inmate convicted of credit card fraud reprogram a prison computer. Schneier believes this sort of thing should be an “obvious” no-no, and I agree. However, it isn’t obvious to a lot of intelligent and well-intentioned people. In fact there’s consistently been debate on whether or not criminals should be hired for computer security positions. There are people who fervently believe the myth that being an excellent criminal carries over into being an excellent law enforcement officer or security adviser.
Unfortunately, pop culture continues to prop this myth up with TV shows like the USA Network’s upcoming White Collar. The show is about an FBI agent who teams up with his nemesis-turned-good-guy to solve crimes that no one else could solve. Another TV series, called Dexter, which appears on Showtime, portrays a forensics expert who secretly murders the criminals he finds through his work. Both of these shows operate on the premise that experience committing crimes is useful in preventing them.
In reality, committing crimes and preventing crime are fundamentally different activities not because of the skill sets but because of the motivation and interests involved. In fact, the skill sets may be strikingly similar in a lot of ways. Some pirates are excellent sailors, some outlaws can shoot extremely well, and some hackers know a lot about computers. Don’t focus on asking whether the skill sets overlap. Instead, focus on questions like these: Are they dependable? Can they work well with other people in your particular work environment? How do you know they are actually interested in helping your organization? How do you know they are truly reformed?
After focusing on these questions, the truth comes to light: it is very rare that an excellent criminal history translates to an excellent crime-prevention future. There is a reason that police departments do a criminal background check before hiring someone. There is a reason that day care providers don’t hire convicted child molesters. There is a reason that banks don’t hire convicted felons to do security. Why wouldn’t the same rationale carry over to information or computer-based crimes?
Now, there are instances of convicts making amends and turning their lives around. Frank Abagnale is perhaps the most famous of these reformed con men. Hollywood capitalized on his story with the highly successful movie Catch Me If You Can. I know several people who have heard him speak at security conferences, and they have told me that he continues to apologize for his life of crime at the beginning of his talks, decades after they occurred. In fact, he may be a good model of how to lead a life of contrite contribution to law enforcement after being an extremely skilled criminal. He worked long and hard to earn the trust of banks and the FBI. He was initially paid only for positive results, and used the money he earned as a security consultant to pay back his debts.
Still, as a general rule, it should be obvious that hiring anyone convicted of computer fraud to do computer security work is a bad idea. Why take the risk? There are a lot of extraordinarily talented computer security experts who do not have the baggage of a criminal record. If you find, after searching for a non-felon, that you need the particular skills or expertise of a convicted computer fraudster, then don’t put them in a position of power. Don’t trust them without oversight. Don’t get caught up in the Hollywood story. The Frank Abagnales of the world are exceedingly rare; hiring a felon to do computer security almost never ends well.
3 Responses
We actually have a friend who spent his early career hacking into government agcencies’ systems and now he gets paid ALOT of money to try to break into their systems and show them their flaws – I think he’s still a criminal at heart
…although now he’s a very wealthy criminal
I don’t know your friend, but I often get this sort of feedback when I talk with people in person about this. It’s pretty important and I should have addressed it in the post. A lot of people have friends who did mischievous things with computers when they were younger and ended up getting hired to do computer security work later. Folks often hold their friends up as counter examples to the argument, so I’ll try and address that situation generally in this comment.
When you say that your friend “spent his early career hacking into government agencies’ systems,” you sort of imply that he was being paid to do this. If it was legitimate work, then that’s just another penetration testing job, and I would say more power to him, particularly if he’s getting paid big bucks! If it was not legitimate work and he wasn’t being paid, then it could range from simply mischievous behavior to a relatively minor offense or misdemeanor. This is by far the most common case in conversations like this. Again, I don’t know your friend, but many non-technical people have computer literate friends who dazzle them with fish stories about incredible feats of computer security. I’ve heard some rather preposterous tales, and although I have become rather skeptical about the stories, I would not consider telling such tales disqualifying in terms of employment.
Of course, it is also possible your friend did some more serious “grey hat” sort of activities. A good example of this is Christopher Soghoian’s boarding pass incident. Was it strictly legal? Yes. Was it ethically dubious? That’s another question altogether. More importantly, is this the sort of thing I’m talking about in this post? No. I’m talking about actual criminals — people who have chosen to willfully violate the law and commit crimes for money or power. These are people who are doing it for a living, either to get rich quick or as a day job. I very strongly suspect that this does not describe your friend, who may fall into the “grey hat” category at worst.
Now, if your friend was an actual criminal who sought to make a career out of computer fraud, I would find it extraordinarily hard to hire him to do computer security work, particularly if he was charged, tried, and convicted for computer fraud. This should be obvious. There are simply too many good people out there without the criminal baggage.
Thanks for the comment! I really should have been more clear about that in the post.
[...] Schneier and Marcus Ranum discuss a topic I’ve commented on before: Should you hire a convicted felon to do computer security work? Although this article appears as a [...]