Last month the UK's defence secretary Philip Hammond announced details of a new cyber reserve unit within the ministry of defense. Under the headline, "Britain will build a dedicated capability to counter-attack in cyberspace and, if necessary, to strike in cyberspace," he announced that the MoD 'will recruit hundreds of computer experts as cyber reservists to help defend the UK’s national security, working at the cutting-edge of the nation’s cyber defenses.'
Now Hammond has told the BBC's Newsnight that the unit will not automatically exclude convicted hackers. "Each individual case would be looked at on its merits," he said.
Lieutenant Colonel Michael White, who heads up the new team, gave more details. "When asked by Newsnight whether someone with the right skills would be ruled out if they had a criminal record for hacking," reports the BBC, "Lt Col White said: 'I think if they could get through the security process, then if they had that capability that we would like, then if the vetting authority was happy with that, why not?'"
The idea of potentially using convicted criminals to defend the national infrastructure is an emotive one. On the one hand it is a question of trust; on the other it is the effective use of a proven resource. And given that there is an offensive capability written into the purpose of the cyber reserves, who is better equipped for such purposes than someone who has already been offensive (albeit, by definition of being convicted, not necessarily successfully).
Lamar Bailey, director of cybersecurity research at Tripwire, points out that it is already happening in the commercial world. “Finding good quality security researchers and security professionals has always been a problem," he said. "Many companies use a less strict standard when filling these roles – because of the overall shortage they may take someone who knows the craft but not have a spotless past." But Dwayne Melancon, Tripwire's CTO, warns, “The MoD must be careful not to send the message that 'past sins will be forgiven' as that can lead to a feeling that 'future sins could be forgiven'," leading to new problems in the future.
Ross Brewer, vice president and managing director for international markets at LogRhythm, has similar concerns. While broadly supportive, he says the unit must be careful that it doesn't turn itself into a 'body of outlaws.' "The government needs to tread very carefully if looking to employ convicted criminals and ensure no blurring of the lines of morality," he suggests.
David Emm, senior security researcher at Kaspersky Lab, is less sympathetic. "Those who have previously worked for the ‘dark side’ of the code-breaking fraternity are often motivated by money and misplaced ideals, and therefore expecting them to switch sides, and remain there is unrealistic.” He believes that the best solution to the recognized security skills shortage is not to employ hackers, but to encourage the next generation in schools and colleges: the improved education of good people rather than the employment of bad people.
But not everything is black and white, says Luis Corrons, technical director at PandaLabs. "When they say they are not ruling out the recruitment of ex-hackers, they should say 'we are not ruling out the recruitment of ex-criminals'," he told Infosecurity. "Of course they do not dare to say it in this way, but that is what they really mean. Could anyone imagine the MoD saying 'we are not ruling out the recruitment of former IRA terrorists to protect our country?'"
And yet, he continued, "Imagine a 15-year-old boy hacking into some company, being prosecuted and convicted. With time he could change –10 years later the very same person could be willing to do things in a different way; he has realized the mistakes he made. In that case all of us could think that a person like this should not be ruled out."
One problem for the MoD – which supports Emm's view – is that the nature of the job might be self-exclusive to the more trustworthy hackers. Hacking is generally money-motivated (with few ideals) or politically motivated (with hacktivist ideals). The latter tend to be more amoral than immoral, and are potentially more trustworthy.
Mustafa al-Bassam (Tflow, and 16 years old at the time), a convicted former member of LulzSec but now a computer science student at King's College London, was doubtful that the program would attract such people. "I can understand the need for a government to protect itself," he told Newsnight, "but when you go ahead and stomp on everyone's civil liberties – as we've seen with all the mass surveillance stories that have been out over the past year – I think you can rest assured that you're going to repel talented people."