The ethics of employing hackers

Posted in 'Identity Theft' by Kevin Pearce

03 July 2012

The increase in data losses due to cyber attack over recent years has slowly opened the eyes of many corporations about the vulnerability of the databases that they are entrusted to protect, and the increasing need to outsmart those who thrive on the challenge to infiltrate their defences.

A recent public speech by MI5 chief Jonathan Evans revealed that, “ The extent of what is going on is astonishing” and that there is “a threat to the integrity, confidentiality and availability of government information but also to business and to academic institutions."

Recent victims of cyber-crime include big names such eHarmony, LinkedIn and Playstation who all had customer details released online.

It has been argued by some that the best way to defend against hackers is to invest in the knowledge and processes used by hackers themselves, in effect 'knowing the enemy'.

GCHQ, which reports to the Foreign Secretary and which works with MI5 and MI6, launched the CanYouCrackIt website and invited hackers to try and break the code, with the potential reward of an interview for future employment. The 'challenge' is now closed, so a reasonable assumption is that the vacancies have been filled.

Some would complain that this is rewarding criminals for breaking the law. After all, how do hackers test their skills in the first place?

I believe it is a misguided notion that all individuals capable of cracking these complex codes are criminals. Although there are no official figures, to assume that 100% wish to commit crimes is somewhat ignorant. In addition, it is clear that members of hacking groups such as Anonymous and Lulzsec are being pursued, a large deterrent should they be tempted.

UK citizen and suspected Lulzsec member Ryan Cleary has been formally charged in the US for various attacks and faces a maximum of 25 years in jail, if convicted.

Finding people to defend against hacking isn't as straightforward as looking at qualifications and work experience. It is hard to quantify someone's ability to solve complex problems, identify loopholes and reinforce potential security weaknesses. It is way of thinking that many individuals simply do not possess.

The issue at hand is that companies need to be able to assure customers that their data is safe. If the employment of 'former hackers' is what it takes, then I'm all for that.

It's better than finding out that hundreds of thousands of customer's sensitive data has been leaked onto a website for the criminally minded to exploit.

If more companies employed experts to protect us, consumers can feel more secure as our lives are progressively moved online.

Unfortunately, even with this new approach to data breach prevention, there will always be one factor that cannot be overcome by relentless code crunching: human error.

How many times have we heard that Government documents have been lost on public transport, or that security on a building has been so low that unauthorised people can walk in and come out with classified records? There needs to be an increase in awareness, both online and in the real world, and customer's should not tolerate any risk that their information could be leaked and misused.

It will be difficult, if not impossible, to achieve 100% security of data, but we should not continue to line the pockets of companies or organisations that do not take the matter seriously.

If companies see a decline in customers (and therefore, profits) due to a known security breach, they should take swift action. And any company watching from the outside should be more than aware that they could be next.

Kevin Pearce is a Credit Analyst at checkmyfile and has a degree in Media and Cultural Studies. You can contact Kevin at kevin.pearce@checkmyfile.com