#1286214: Would you trust a criminal with your cyber security?
Several industry sectors have set a good example by hiring ex-offenders, and the cyber security industry could benefit in similar ways by looking at members of the hacker community
The UK cyber security services market is one of the most mature in the world. It has benefited from the development of a higher education system that generates significant numbers of cyber security professionals, a mature training market that allows people to cross-train, and well-structured career pathways to promote professional practices, underpinned by codes of conduct and ethics that are both meaningful and enforceable.
This maturity in the market has put the emphasis on the recruitment of trained, educated individuals who understand career structures and ethics, rather than a “hire the hacker” approach.
The practice of using ex-offenders is carried out with great care in other industries and the cyber security industry should learn from, and adopt, good practice in this area. We must ensure that we deal with these individuals in an open and inclusive manner and, as an industry, and that we take steps to ensure they are supported so that they do not reoffend. The codes of conduct and ethics are an important aspect in ensuring that this is carried out in a controlled manner.
There is also a significant number of individuals who have come to the attention of law enforcement, but have not been charged or prosecuted. The industry must be very careful how it deals with these individuals. It would be inappropriate to exclude them from recruitment activities, and again the meaningful and enforceable code of conduct and ethics are essential to manage these individuals.
Some of the people who have come to the attention of law enforcement, but have not been formally cautioned or charged, are young. Again, the UK is leading the world in this area. Working with the National Crime Agency (NCA) and the Metropolitan Police, not-for-profit accreditation and certification body Crest is developing practices to provide intervention activities to reduce the risk of vulnerable young people being groomed into more serious cyber crime-based activities.
This is a really important activity becauses it not only helps to identify talent and deflects individuals from a pathway into crime, but it is also one of the few things that starts to reduce the level of threat. The industry has a moral responsibility to help support these initiatives.
The use of former cyber criminals often comes up when companies employ individuals to test out their cyber defences. The argument goes that if you are trying to simulate real-world attacks, then ex-criminal hackers are well placed to do this work.
The risks of using someone who is operating outside the law and outside ethical bounds are obvious. An individual who has a spent crime must be treated in a fair way from an employment perspective. If we are going to be viewed as a professional industry, however, prosecution or potential prosecution should not be viewed as part of a career pathway or a badge of honour to enter the industry.
Another confusing area is bug bounties or group-sourced vulnerability hunting. The industry is struggling with what to call participants in these programmes. Bug bounty organisations are acting legally because they have been “invited in” and they are mostly operating under codes of conduct, but these are very difficult to enforce and often bad conduct has no consequence. The “researchers” working on these programmes are, in the main, also operating legally and within the codes, but it is difficult to guarantee.
The industry is looking to help put standards in place to protect the buyers of these services, as well as the bug bounty programme operators and, importantly, the researchers. Clarification is required to ensure that such programmes are started and operated correctly and, very importantly, that they can be turned off and there are protections in place to ensure non-participating third parties are not used as a vehicle for cyber criminals to go under the radar and mount malicious attacks.
We must not reinforce the view that in order to get into the cyber security penetration testing industry or have “credibility”, you should come to the attention of law enforcement. This is not a scalable model if we are going to grow the industry and recruit the best people. We must compete with other professions for the best people and mirror good practice in the employment of ex-criminals.
|Date added||Nov. 8, 2019, 2:24 p.m.|