That may be the question.
By Alaina Webster, Managing Editor
“Hacker” is something of a dirty word, striking fear into the hearts of many executives, particularly in the financial industry. In today’s cultural climate, there are few things more damaging to banks than a data breach. Still, it’s undeniable that some hackers possess legitimate skills — and perhaps banks shouldn’t be wasting that talent.
Hackers usually fall into four categories: white hat, blue hat, gray hat and black hat (but disregard the blue and gray hats because they’re not relevant to this discussion). Many companies are familiar with and regularly employ or consult white hats, those who have never been charged with illegal hacking. Black hats are exactly what you think they are, the criminal hackers.
Black hats have a criminal past, but this also means they have a proven track record of being able to, well, hack, and some companies are harnessing those abilities by hiring reformed ex-black hats. So, should banks follow suit? The first strike against this idea may appear to be section 19 of the Federal Deposit Insurance Act. It states, “Any person who has been convicted of any criminal offense involving dishonesty or a breach of trust or money laundering, or has agreed to enter into a pretrial diversion or similar program in connection with a prosecution for such offense, may not — (i) become, or continue as, an institutions-affiliated party with respect to any insured depository institution.” However, the FDIC goes on to define dishonesty as “to cheat or defraud for monetary gain or its equivalent, direct or indirect, or to wrongfully take from any person, property lawfully belonging to that person in violation of any criminal statute or code.” Moreover, section C of the “General guidelines and policies with respect to section 19” states that those convicted as minors are not subject to this ruling, and if banks are really serious about hiring someone with a criminal record, they can apply for a waiver from the agency.
That’s a lot of legal speak, but based on interpretation and the waiver option, it seems it could be possible to legally hire an ex-hacker. Still, is taking on someone who has a documented morally questionable past wise? Some experts seem to think it’s worth the risk. In 2016, digital security firm Symantec estimated there were 500,000 to 1 million U.S. cybersecurity jobs that could not be filled because the industry lacked skilled candidates. By 2020, this number is expected to be 1.5 million.
Writing for hakin9.org, Kayla Matthews stated, “… companies seeking out the worthiest hackers must realize that many of those individuals may have honed their skills through illegal means … if a company is looking for candidates with many years of hacking know-how, it’ll need to be especially aware that applicants who meet the required experience level might not have clean backgrounds.”
A study by Radware of C-suite executives from a range of industries found that 45 percent of businesses globally already employ ex-hackers in some capacity, either as full-time employees or through contracts with individuals or third-party companies, and 26 percent of businesses are at least open to the idea. In Europe and the Middle East, where companies were two to three times more likely to be attacked, the practice of hiring former hackers is already becoming commonplace, but Radware found the idea is gaining traction in the Americas and the Asia-Pacific region as well.
Ex-black hats themselves can offer some perspective on “going corporate.” Speaking to UK-based SC Magazine, former hacktivist Mustafa Al-Bassam said, “If you hire a white hat who hasn’t sat in a prison cell, they aren’t necessarily going to turn down a six figure sum to share your company’s customer details. For me, having been in that cell, it isn’t worth any money.”