Your life in their hands?

Once again this blog represents my personal views and not necessarily those of Trend Micro

 

According to a report in the Daily Express newspaper, the British intelligence services have hired “50 computer-savvy hackers – some of them still teenagers” to work in the Cyber Operations Command that was recently announced as a part of the UK Cyber Security Strategy.

Would you trust this teen with your cyber security?

Would you trust this person with your cyber security?

 

Back in June, when the Cyber Security Strategy was announced I blogged about how surprised and disappointed I was with the comments made by Lord West at the time. By way of a reminder, Lord West told the BBC

 “They had not employed any “ultra, ultra criminals” but needed the expertise of former “naughty boys”, he added.

“You need youngsters who are deep into this stuff… If they have been slightly naughty boys, very often they really enjoy stopping other naughty boys,” he said”

 

I had actually hoped at the time that this was more ill-informed media bluster than actual truth, unfortunately that seems not to be the case. The Daily Express article reminds us though that this crack team of teenage (former) bad boys have all had to sign the Official Secrets Act so they can’t tell their girlfriends or their mums and dads what they are up to. So that’s alright then isn’t it?

 

Let me get this straight, I am not here to complain about young people getting jobs or about the Cyber Security Strategy in general. What really upsets me with this story is the implication that *only* young (former) criminals have the skills required to carry out the work necessary to combat cyber terrorism. I have not personally met any of the team that have been hired for these posts at Cyber Operations Command, but I have a feeling that they wouldn’t care too much for the implication either.

 

It is entirely unacceptable that our security services and our government are broadcasting the message that the only qualification necessary for a job in MI5 is being a hacker (one bad enough to have got caught). People who have been found to have broken the law should not be allowed to profit from their misdeeds especially by way of an employment offer in the very field of their criminal activities. Would you hire a convicted embezzler as a your accountant? How about a teenage convicted embezzler?

 

The Daily Express article goes on to state “The hackers have also intercepted messages from terrorists in Belmarsh maximum security prison“. Perhaps I am being naive here, but why on Earth are convicted terrorists being allowed accces to technology that allows them to send (one would assume) encrypted messages from prison? Surely if a prisoner still poses a threat to national security, shouldn’t their communications be monitored or at least restricted as necessary?

 

It would be really beneficial if, instead of inviting criminals and hackers to assist in these commendable national security endeavours, the government approached the application, network and content security communities who have, for many years, been combating malicious, criminal computer and network related activity Please concentrate your activity on the creation of meaningful and sustainable detective and enforcement alliances with international partners. Involve Internet Service Providers in initiatives aimed at cleaning up the huge population of home computers already being exploited by cybercriminals. Don’t waste your time telling schoolboy tales of hiring “naughty boys” for hi-tech derring-do.

10 thoughts on “Your life in their hands?

  1. Pingback: The MI5 Hires Teenage Hackers · MicroSystem Team Blog

  2. Pingback: FLOSS_News: Magalhães com dias contados na América latina? Google arranja ms-IExplorer « O Vigia

  3. Chris

    It’s typical of the imbeciles running this country that they think such people would be of more use than, ooh, let me think of an example close to home…

    Wouldn’t somebody who built a computer in 1978, knew how to amend its operating system in machine code, was able to extend its memory by piggybacking RAM chips, wrote his own Prestel terminal software in assembler, has worked on embedded systems including those used by police control rooms, and more, be suitable? No, 60 is too old for a computer expert, they are all children. Any “Lord” will be able to confirm this.

    Reply
  4. Rik Ferguson Post author

    Thanks for the comments all, I also received a direct email with a few questions about this post. Obviously I won’t repost that persona’s mail, but I do want to share my answers with everyone.

    “Thanks for the mail, to be honest, my objection is not to reformed hackers working in IT security, my objection is to hiring people who have scarce had time to demonstrate reform to deal with SigInt of the very highest classification. I also get a bit exercised by the way the government is waving the “teenage hacker” and “former naughty boys” banner as if it gains them some kind of cool or credibility.

    In all candour I would dispute your claim about the best hackers not being in it for the money. I think the burgeoning cybercrime industry amply demonstrates that there is a very large community of highly skilled hackers and coders in the direct employ of organised criminal enterprises. I can’t dispute that, of the hackers you have dealt with, those are your findings, but I am certain there is a larger silent majority of skilled malicious hackers than the less harmful ones you have trained.

    The rehabilitation of offenders act certainly does encourage the rehabilitation of criminals, and so do I, I am definitely not of the hang ’em and flog ’em brigade. I do think though there are sensible limits that should be placed around permitted activities and permitted levels of clearance for certain crimes. Dealing with matters of national security should not be the province of “former naughty boys”.

    I am sure some security companies do use former hackers as consultants, more often than not, former hackers go on to found their own security consultancy companies (Mitnick) and good luck to them. “The security industry” though, by which I mean vendors and manufacturers do not hire former hackers because we believe it both damages our credibility in the eyes of our customers and it sends the wrong signal “write a great piece of malware then come work for us”. I think the same should apply to national security.

    Believe it or not, I don’t write for publicity or notoriety, I only publish blogs that I can justify and in which I fully believe. You might have noticed that I try really hard to stay away from pushing any kind of product on Countermeasures (unless it is free) because I don’t want the articles to be seen as having an alternative agenda.

    Shame we can’t have this conversation on the blog though, maybe other folks would want to join in!

    Cheers,
    Rik

    Reply
  5. Nik

    Surely the better question would be “would you trust the Daily Express to accurately report on HMG recruitment policy?” :-)

    Reply
  6. Guilherme Macedo

    “very often they really enjoy stopping other naughty boys,” what?? and in the meantime or when they are bored what do they enjoy??
    That’s just wrong.

    Reply
  7. dogbert

    HEllo,
    I agree with you specially because kids aren’t full grown yet and it’s inevitable that they will do stupid things over time.

    Kids are kids.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*