Experts question whether ex-hackers are best placed to find chinks in your armour

The only British member of the LulzSec hacking gang to escape a prison sentence at the end of the trial at Southwark Crown Court in 2013 was Mustafa Al-Bassam, the youngest of those who had been in the dock.

The judge was said to have taken into account the fact Mr Al-Bassam was just 16 when the crimes were committed. He had pleaded guilty to charges of hacking and cyber attacks.

Mr Al-Bassam’s co-conspirators Ryan Cleary, Jake Davis and Ryan Ackroyd received custodial sentences of 32, 24 and 30 months respectively.

However, for his role in LulzSec’s “50 days of Lulz” campaign in 2011, the south Londoner was given a 20-month suspended sentence and an order to perform community service.

The group — which also had members in the US, Ireland and Portugal — launched cyber attacks against companies including Sony, News International and the CIA.

Nonetheless, the gang was publicly lambasted by Andrew Hadik, lawyer for the Crown Prosecution Service, for actions he called “cowardly and vindictive”, and for causing harm that was “foreseeable, extensive and intended”.

Three years on and Mr Al-Bassam is now an IT security adviser at online payment processing specialist Secure Trading, a role he intends to perform while completing his degree in computer science at King’s College London.

“In this industry, there is always demand for people who have talent, regardless of your walk of life or background,” he says.

Meanwhile, Kobus Paulsen, Secure Trading’s chief executive, explains what may seem to be an unusual decision by saying: “When it comes to IT security, I can’t think of anyone better placed to provide advice than an ex-hacker.”

He compares it to recruiting a reformed burglar to protect a jewellery store: “Better than anyone, they will be able to find the chinks in your armour, and explain how they would go about breaching your defences, allowing you to fix and improve them.”

Other business leaders may be open to adopting similar, poacher-turned-gamekeeper recruitment strategies, according to a 2014 survey of 300 senior IT and human resources professionals by KPMG, a professional services firm.

More than half of the respondents said they would consider using a hacker to add insider knowledge to their security teams, while a similar proportion said they would consider recruiting an expert, even if that person had a previous criminal record.

However, Johnathan Kuskos, manager at cyber company WhiteHat Security’s Belfast-based threat research centre, does not believe this strategy is necessarily effective.

Nobody should confuse a hacking conviction with technical skill

“Nobody should confuse a hacking conviction with technical skill or prowess,” he warns. He adds that, while some former hackers may be good technically the flipside is that “the really excellent ones are probably not the ones who’ll ever be on the job market” because they are too good to get caught.

Many companies prefer less tainted talent, says Rik Ferguson, global vice-president of security research at Trend Micro, another IT security company. “It’s not that they couldn’t hire convicted hackers, but rather that they have little interest in doing so because there’s a rich pool of talent out there of skilled people without a criminal record.”

He says there has been a steady rise in the number of IT professionals training as so-called “ethical hackers” on courses run by industry-accreditation bodies such as the EC-Council and the Sans Institute. These teach the same methods cyber criminals use but with the aim of identifying security weaknesses and patching them up, rather than using them for illegal purposes.

Mr Ferguson himself is a certified ethical hacker, having successfully completed the EC-Council programme in 2010. He says that participants are obliged to sign a document at the outset in which they promise to only use the skills they have learnt for legitimate purposes — a kind of Hippocratic oath for IT security professionals.

“If you’re found to have misused the skills, then the sanction is the removal of your certification,” he says.

A large proportion of convicted hackers are bored youngsters caught in the act of perpetrating “low-skill, high-volume” attacks, says Charlie McMurdie, a former Metropolitan Police detective superintendent who took part in the investigation into — and prosecution of — the LulzSec gang. She is now senior cyber crime adviser at PwC, a professional services firm.

She says: “As an employer, you’ve got to consider the restrictions. If you employ that individual, what’s your liability if they go back to their old ways? Can you guarantee oversight for their work? Are they even permitted to travel abroad to work with international clients? Should you disclose their background in conversations with clients?”

That last point is one that Mr Paulson at Secure Trading clearly considered when hiring Mr Al-Bassam. “We will never compromise our client relationships and will always be sensitive towards their wishes. Mustafa will not have access to client systems without their explicit approval,” he says.

And, as Mr Ferguson at Trend Micro says, most people deserve a second chance. “You do the crime, you do the time and you get on with your life.

“There’s a strong argument former hackers should be able to find employment in the market using the skills they have and, if they can’t do that, then the temptation to return to illegal activities may be all the stronger, because there’s no way for them to use their skills legitimately.”