Rehabilitating criminals is not a new concept, but their skills aren’t always as specific as those of a cyber criminal. With hacktivist arrests on the rise, perhaps it’s time for companies to realize the potential gain in employing the very people they’re fighting against.
“There is no rehabilitation structure for hackers,” said author Mischa Glenny at the RSA Conference today in San Francisco. “If your only skill is using a computer, and you’re not able to do that, I think that’s likely to put you back into the underground.”
A rehabilitated cyber criminal, such as the many Anonymous members being cuffed by law enforcement now, could provide valuable insight, as well as real hacking skills.
Kevin Mitnick is a good example example. Mitnick spent the 90’s in and out of jail, hacking into well-known companies such as Sun Microsystems and Nokia. He also stole a lot of precious source code, which he considered trophies. After being caught for the last time and spending years in jail, he reemerged to create Mitnick Security Consulting. The company performs penetration tests to find vulnerabilities exploitable from the outside as well as test how weak security is at physical buildings and how easy it is to gain access to systems.
However, not everyone comes with such a resume. Like any organization, Anonymous is filled with people of varying levels of skill. There are very talented hackers who have spent time in the industry and can be considered “professionals.” And then there are the impressionable younger people, the minors, who have enough technical savvy to launch a low orbit ion cannon. Their skills in technology are transferable, and Glenny believes it’s time to grab hold of it.
“Most of [Anonymous members] are minors,” said special agent Eric Strom of the FBI at RSA. “How do prosecute someone like that?”
According to Strom, when the FBI does minors involved in cyber crime, they don’t storm in immediately with handcuffs. Instead, they knock on the perpetrator’s door and do the worst. They talk to their parents. He explained it as a “wake up call,” that the child isn’t actually up there doing homework. That they “need to be better parents.”
“I think a lot of people think these are just a bunch of kids fooling around, but they can really hurt a company,” said Strom. However, “A minor child will just get slapped on the wrist.”
Grady Summers, the vice president of security company Mandiant, isn’t yet convinced. Taking in rehabilitated cyber criminals might come off as community service — a responsibility not all companies want.
Glenny says the result is that a lot of knowledge is going to waste.
“We have a lot of skills out there with young people who are persuaded to go … to the dark side,” said Glenny, “But there’s a large grey area here. I think there ought to be a mechanism for bringing them in, to see if any of those skills can be used in a positive way.”