The Fruit of the Poisoned Tree

Should we hire criminal hackers as security experts? This is the second of a two-part attack on the idea from a 1995 debate in which I participated.

* * *

On a broader scale, consider the message you would be giving some thirteen year old proto-hacker. These kids, like most kids, are tremendously susceptible to peer pressure. They already find criminal hacking attractive because it's viewed as today's counter-culture — something fairly harmless (compared with, say, dealing drugs) but exciting because it's illegal. Now imagine that the older creeps can announce that they've just been hired by The Man (i.e., authority figures) to work in counter-intelligence, snooping in foreign companies' files for money (you don't imagine they'd keep it quiet, do you?). Oh man — not only is criminal hacking glittering with the allure of the forbidden now, but you can hope to earn money with it from the government!

Part 1: Why Criminal Hackers Must Not Be Rewarded

The children and emotionally-arrested adolescents involved in criminal hacking already have a love/hate attitude towards The Man. Many of them claim that they'd like to work for security firms when (if) they grow up. This myth that criminal hacking is a reasonable basis for work in security would become even more pernicious if it were known that more hackers had in fact been solicited and used by government or corporate organizations. Using such people would reinforce the attractiveness of criminality.

Consider the outcry if the military in a democracy actively solicited murderers to be soldiers. The great challenge of military training is to temper savagery with honor; to provide a moral framework within which war is viewed as undesirable, killing as regrettable. A soldier who lies is a stain on his unit’s honor. A soldier who steals is a wretch who deserves expulsion. And a soldier who breaks his word is a traitor to his country. And so how shall we deal with people whose entire way of life is to lie and to steal and to cheat?

I say they're unfit to serve.

At the most fundamental level of all, the end does not justify the means. To use criminals, to honor them, to praise them, to pay them: this would be yet another blow against morality and decency. And it would be a blow without even the excuse of necessity. We do not need criminal hackers. Information security can be strengthened using the skills of honest people — hackers, if you like, but not criminal hackers. We should be encouraging children who enjoy using computers to learn more, to learn deeper. We need school teachers who have more than merely a superficial knowledge of the user interface: we need teachers with a thorough grounding in computer science. We need books for children to teach operating systems fundamentals and database theory in an enjoyable, challenging way; we need recognition for the gifted — support for the oddballs who prefer trackballs to basketballs. We need donations of computer equipment and texts from companies who see that helping kids learn is a wise investment in everyone's future. Why not donate used mainframes and servers to help kids learn about operating systems and networks? Let's give brilliant kids with a knack for security summer jobs so they can use their skills to help society instead of feeling marginalized.