In 2002 one of the arguably greatest hackers of all time, Kevin Mitnick, returned to active service in the IT industry. Despite being convicted of several counts of computer crime, serving time in jail, and being restrained from using computer systems, Kevin founded a new company in 2002 called 'Defensive Thinking' to market his security ideas and skills. The idea being that organisations will employ his services on the premise that he is an expert in the area. But should a company hire a hacker (and in this context, I mean hacker in terms of someone illegally accessing computer systems) as a security advisor?

Quite a while ago I was in a job interview with a personnel agent. Things were going well, I had certainly given a good run-down of what I was good at. And then we got to a weird point. The agent put his folder down, looked at me, and asked...

"Have you ever hacked into any systems"?

Well, my answer was a most definite "Assuming you mean illegal hacking, no". You would think that this would be the end of the question, but the agent kept on drilling me with promises of secrecy and non-disclosure. I kept replying the truth, "no". After the grilling, it was obvious that the agent had gone cold. He asked a few more trivial questions and then that was all. After a week of waiting, he called me and said that his client was not interested in my application. Considering that the client was a top-notch accounting firm, this got me to thinking - were they actually considering employing a criminal?  

The rationale for hiring a hacker

Probably the strongest reason for hiring a hacker is the thought that the hacker is an expert in systems security. This kind of makes sense. Someone that has successfully penetrated systems is probably quite capable of identifying vulnerabilities and suggesting corrections. Many security practitioners may state that hackers can reform themselves, and there will even be a number of uncaught hackers, and this may justify employing them. Nevertheless, many company directors will be extremely sensitive to the problems in employing criminals even if they have served their penalties and are reformed.

The case against hiring a hacker

There's many reasons for not hiring a criminal hacker.

• Is this person really an expert? While the hacker may have proven to be an expert in attacking systems, this does not directly translate into being an expert in protecting systems. It is actually much harder to defend against all kinds of attacks than it is to perform a single attack to illegally access a system.
• Can you trust a criminal? The hacker has already broken the law, can you trust them with valuable assets?
• Could this person work within an organisation? Most criminal hackers work alone. When working within an organisation in a security role it is very important to work with the organisation, and not against it.  

The IT Industry's opinion of hackers

In the 2003 CSI/FBI Computer Crime and Security Survey, subjects were asked whether their organisation would consider hiring reformed hackers as consultants. The results were very interesting. 15% of respondents said that they would, 17% of respondents replied with "don't know", and 68% of respondents replied with an emphatic "no". It was reported that respondents had a habit of answering this question with emphatic circling, exclamation points, and notes scrawled in the margin to support their position on the question. This behaviour did not appear elsewhere on the survey form.

And finally, a note of caution to those readers considering a career in IT security. Don't think that by hacking into systems to prove your skills will get you into a job. You may think that you could gain illegal access to the systems of a company, notify them of their security issues, and gain some work in performing repair work. Sorry, but companies just won't stand for that behaviour. Three quarters of the respondents to the 2003 CSI/FBI Survey emphatically state that they will not employ hackers.