Hiring Of Hackers Draws Heated Debate

"Trust has to be evaluated on a case-by-case basis: Hackers who have reformed have something to bring to the table," Mitnick said during the panel session titled "Foxes in the Hen House."

Mitnick, who is now president and co-founder of security firm Los Angeles-based Defensive Thinking, said, "Clients are happy with the value I bring to the table, despite my criminal background," he said.

But Ira Winkler, chief security strategist at Hewlett-Packard, argued against the idea that just because someone is able to break into a system means they also know how to fix it. "The hard part is not breaking into a computer, the hard part is protecting it," he said.

Hiring hackers poses significant liability risks for companies, which must protect shareholder value, he said. "How does it look giving someone with questionable background the keys to the kingdom?"

id
unit-1659132512259
type
Sponsored post

Yet Jennifer Granick, an attorney and director of the litigation clinic at Stanford University, argued, "It's presumptuous to say everyone with a criminal background can't be rehabilitated and trusted."

Hackers have special skills that are needed to know how to secure computers, Granick said, but Winkler countered that the idea that hackers have skills others don't have is "completely inaccurate."

Christopher Painter, deputy chief with the U.S. Department of Justice, said hiring hackers sends a bad message to young people, giving them the idea that the road to success is to be a criminal hacker. People can get the experience of breaking into systems without breaking laws, he said.

While some argue that hackers are just trying to improve security by exposing flaws, "hackers have shown a disregard for other people's rights, other people's property," Painter said. Hiring one is a risk-management issue for a company, he said.

"People can be rehabilitated, but it's a risk factor companies have to look at," he said. "If they're going to be the ones who know the most about your network, that's dangerous."

While Painter argued that breaking into a computer is no different than breaking into a house, Granick countered that it is entirely different. "If you break into my computer, you can get my data, but no one's going to get hurt," she said.

The debate was particularly acrimonious between Mitnick and Winkler, who took Mitnick to task for an earlier presentation that Mitnick gave at the conference during which he described his past phone-phreaking activities as a hobby. Breaking into phone systems is a felony, Winkler said, and Mitnick's description of it as a hobby shows how hackers rationalize this behavior.

Mitnick responded that he used to construe phone phreaking as a hobby in the past. He claimed that the IT security industry is hypocritical in its stance toward hackers and alleged that Winkler had hired a group of hackers, including one with a criminal background. Winkler said no one in the group had a criminal background.

"I hire people based on resumes, not criminal records," he said.

Mitnick later repeated his claim that the security industry is hypocritical about its use of hackers, saying, "The truth of the matter is, in the industry hackers are used."

Mitnick said he doesn't simply tell people to trust him but asks them to judge him by his conduct and contributions.

Winkler, though, argued that there are plenty of other places that hackers can work in technology outside of security, such as writing code. "Don't expect to be given a position of trust," he said.