UK cyber defence unit ‘may include convicted hackers’

In response to the news that convicted computer hackers could be recruited to the UK’s cyber defence force if they pass security vetting, Tripwire have made the following comments:

Dwayne Melancon, CTO of Tripwire, said:

“This sounds like something straight out of Hollywood – using convicted prisoners to engage in an impossible mission under the cover of special exemption from the government.  It makes sense that these individuals may have the skills needed to help in cyber defense, but it will be key to follow a ‘trust but verify’ model in which they are supervised closely to mitigate the risk that they will do something criminal or disruptive.

“The MoD must also be careful not to send the message that ‘past sins will be forgiven’ as that can lead to a feeling that ‘future sins could be forgiven.’  In other words, if this were construed as a sort of ‘amnesty act’ for cybercriminals, we could have far more problems in the future.

“Finally, I would like to know how this program will be monitored, what criteria will be used to determine whether the nature of past crimes excludes certain individuals, and what criteria will be used to judge whether the program is successful or not.”

Lamar Bailey, director of cyber security research said:

“Finding good quality security researchers and security professionals has always been a problem. Many companies use a less strict standard when filling these roles because of the overall shortage they may take someone who knows the craft but not have a spotless past.

“The market for these resources is very tight between competing companies and the black market so companies are forced to offer higher wages, extra perks, or consider someone that might have had issues in the past so it is not unusual to see governments doing the same.”

Tim Erlin, director of product management, said:

“The MoD is facing a skills shortage and a publicity problem in recruiting at the same time. In order to staff effectively, they have to expand their recruiting pool to include all of the individuals with the skills they require.

“This isn’t a recruiting campaign targeted at convicted criminals, but an wide net leading to a more refined vetting process. While there are risks involved in hiring individuals with a criminal past, they may be worth it, if managed appropriately.”

A_New_Approach_To_Cyber_Security