Getting hacked off with cybercrime
28 Sep 2015
Why the corporate world is showing greater demand for hackers
The ever-growing threat of cybercrime gives bosses a strong business case for hiring hackers with the expertise to tighten their companies’ online defences, according to Lisa Shu from London Business School (LBS).
“There is an argument for hiring true online security experts with the perspective needed to combat cybercriminals,” said Shu, Assistant Professor of Organisational Behaviour at LBS. “Organisations are looking in the right place if they want people with the expertise and competence to boost their online security.”
Companies are on high alert after a spate of corporate hacking scandals that have led to data leaks, damaged reputations and huge costs for businesses targeted by cybercriminals.
In October 2014, hackers broke into Sony Pictures and stole confidential documents from the Hollywood studio that were subsequently released online. The leaked information included emails between Sony executives who criticised actor Leonardo DiCaprio for his behaviour on one of their movie sets and joked about President Barack Obama's film choices. Sony Pictures said in February 2015 that the hack cost the studio US$15 million.
More recently, two white-hat hackers, Kyle Lovett and Jordan Wiens, were rewarded one million air miles each in July 2015 for identifying flaws in United Airlines’ security system.
Lovett is a Cisco employee while Wiens co-founded Vector35, which carries out vulnerability research and reverse engineering for firms. Both are white-hat hackers, the term used for computer security experts or ethical hackers.
Since May, United Airlines has offered ‘bug bounties’ to anyone who alerts them to vulnerabilities in their website. The airline said in a statement: “We believe that this program will further bolster our security.”
Many security firms and companies including Facebook and Google also offer bug bounties.
Professor Shu understands why United Airlines launched the program. “It was a very novel way to improve an existing system,” she said. “Ultimately, it signals the carrier’s dedication to doing what it takes to improve its security, which may have prevented a bigger problem by discouraging cybercriminals to hack the website – for now.”
However, Professor Shu believes United Airlines’ decision to reward hackers raises a moral issue for companies: should they encourage people cloaked in anonymity to test their online security? Much depends on the hackers’ intentions and own moral compass.
“White-hat hackers test a company’s security system and get into the mindset of someone who wants to cause trouble,” she said. “The difference between them and cybercriminals is the intention behind their actions. Even if the action and outcome is the same, people will prescribe morality to the underlying intention of the hacker.”
Companies need to do their due diligence to avoid hiring someone with links to cybercrime, according to Professor Shu. She adds that character references rather than CVs should be used to determine whether or not a computer security expert is the right fit for the company.
“Look for any indicators of the person being a trustworthy employee and individual in other domains that aren’t necessarily related to their ability to hack into a system,” she said.
“This is where the personal references might matter more at an interview than the technical qualifications when dealing with a potentially ethical grey area. Businesses should look more for strength of character to match the person’s level of technical skills.”
Appointing someone who is even suspected of carrying out cybercrime is a different proposition. While the candidate has the skills to combat hackers, they may lack the discipline and moral fibre to work in an organisation where collaboration and trust are essential.
Integrating an alleged cybercriminal into the team would be almost impossible, according to Professor Shu. “People already have natural safeguards when working with someone who they identify and label as having formerly breached some code of conduct,” she said.
“Take software development, which requires so much teamwork. If there’s no trust in the team from the beginning, it will be very difficult for the organisation to maximise the expertise of the individual who’s joining.”
Professor Shu adds: “A former hacker would have to continually prove themselves as a trustworthy person, but it only takes one infraction for people to label them untrustworthy.
“Trust is very different to competence, for example. In a sense, it’s ok if you’re incompetent when performing a task because people will still give you credit for the effort made and allow you to demonstrate your competence in other ways. But it’s very difficult for people deemed untrustworthy to get a second chance with their colleagues.”