By Andy McCue, 22 September 2004 14:35
NEWS A German security company has divided opinion in the IT industry this week by offering Sven Jaschan, who is being charged with the creation of the Sasser virus, a job.
Not surprisingly the antivirus companies immediately jumped into the debate, claiming it would be impossible to trust a computer criminal.
Beyond that initial reaction the story raises wider questions about whether hackers and virus writers can ever be trusted to have changed their ways, so we asked our CIO Jury if rehabilitated or reformed computer criminals could be trusted to work in a corporate IT department.
The question split the jury down the middle with six saying 'yes' and six saying 'no'.
Ted Woodhouse, IT director at Leeds Teaching Hospitals NHS Trust, said "definitely not", questioning whether past form would resurface at the first sign of disillusionment with the employer.
"If [serial-killing doctor] Harold Shipman had been younger, served his sentence in full and been released as 'rehabilitated and having served his debt to society', who would trust him as a doctor to treat their ailing and aged mother? A leopard does not change his spots - Jaschan belongs in gaol for international and corporate vandalism (not to say terrorism) on a massive scale."
David McKean, director of IT services at Cable & Wireless, said the presence of a hacker in the IT department would undermine the trust everyone has to have in their co-workers. "With a criminal hacker in the ranks you do not have that trust and the risk to the business is just too large."
Mark Foulsham, head of IT at eSure, raised the issue of the dangerous precedent hiring a hacker would set. "The issue isn't really one of trust, it's the message this approach sends out - successful hacking improves your employment prospects."
Margaret Smith, director of business information systems at Legal & General suggested most firm hire hackers without being aware of it but doubted whether they could be trusted in an IT department.
"The biggest difficulty would be knowing if someone being interviewed is a hacker or not. They obviously have the right mindset in terms of problem solving/problem creating. Their motives for being hackers would need to be evaluated through things such as psychometric tests," she said.
But, equally others would be prepared to give former computer criminals another chance – depending on the circumstances. Phil Pavitt, CIO at NTL, said people should "never be too proud to learn", while David Jemitus, head of IT at the Government Planning Portal, said it is worth the risk if the person has specialist skills that are in demand.
Bill Gibbons, CIO at Abbey, said reformed hackers could be hired as long as the appropriate controls are in place and corporate policy supports it.
"Clearly such individuals can add value given their in-depth technical capabilities but this must be balanced against the significant risks entailed, so each 'opportunity' needs to be assessed on relative merits of employment," he said.
Dr Stuart Brough, director of IT services at the University of Strathclyde, said being selective and getting the right person can "pay dividends". He said: "In higher education we have used students, during the vacation breaks, very successfully and they may fall into a similar category. Students are excellent hackers and test our security on a daily, if not hourly, basis."
Today's CIO Jury wasÂ…
Stuart Aitken, CIO, Medical Research Council
Dr Stuart Brough, director of IT services, University of Strathclyde
Mark Foulsham, head of IT, eSure
Bill Gibbons, CIO Abbey Group
Neil Hammond, IT director, British Sugar
David Jemitus, head of IT, Government Planning Portal
Phil Jones, CTO, easyGroup
David McKean, director of IT services, Cable & Wireless
Rob Neil, head of ICT services, Ashford Borough Council
Margaret Smith, director of business information systems, Legal & General
Phil Pavitt, CIO NTL
Ted Woodhouse, IT director, Leeds Teaching Hospitals NHS Trust
If you are a CIO, IT director or equivalent at a large or small company in the private or public sector and want to be part of silicon.com's CIO Jury pool, or you know an IT chief who should be, then drop us a line at editorial@silicon.com
Comments
There are 16 comments. Join the discussion
1. anonymous
'If Harold Shipman had served his sentence and been released would you trust him as a doctor to your ailing and aged mother?' says Ted Woodhouse, IT director at Leeds Teaching Hospitals NHS Trust.
What a shocking analogy. Of course I wouldn't, but that's irrelevant. However, if I wanted study the best ways to prevent a murder of this kind happening again, then Shipman may have a been a very good person to turn to (a la Silence of the Lambs).
2. anonymous
Have you seen the movie "Catch Me If You Can"
Big business do it all the time, if you can't beat them join them
3. anonymous
I don't believe that the moral or ethical implications of this could be compared to any analogy with accuracy in its representation. I do believe he should be given the chance to use his skills in a challenging career to perform positive services - AFTER his sentence has been fulfilled. To use an inaccurate analogy to present my reasoning: many banks and vault manufacturers will hire past, reformed criminals to find faults in the security of their vaults, etc.
4. Corliss Horton
A hacker has to be very intelligent to think the way he/she does. Wouldn't it be more productive to use a hacker for a more positive use, like testing or even producing anti virus software? To use a negative as a positive!
5. anonymous
CIOs who don't understand hacker's mentality and can't control them bring themselves into danger. Imagine a non-ethical cracker being denied a pay raise or just refusing to fund the proposed or required solution..
People without ethical boundaries may break them again..(especially when experiencing that it only gets better after that and they have nothing to loose)
6. anonymous
Worn author is cracker. Crackers destroy, hackers create.
7. Anonymous
Virus writers overestimated ?
It is quite easy to write a virus, so I really don't understand why everybody overestimates these kiddies. Mostly they are bad programmers. They write viruses because it is a "bad thing". It's similar to smoking a cigarette when parent's aren't watching, except it doesn't cost so much money ;)
8. Angus Doyle
Was going to point out that the Harold Shipman Analogy was very much not relevant, however Anon From IT Sales in London beat me to it.
Once upon a time I would have been classed as a hacker, yet I was given the chance and I believe I have been a great resource to the companies I have worked for, but each person and case has its own merits and should be judged accordingly.
Hiring the Sasser writer was a good idea on the face of it, sometimes you have to hire a thief to catch a thief, the same applies to most crimes.
Not saying that I would of made the same decision, but hey the company who did got some free press coverage.
9. David Pearson
You see Frank Abagnale (Catch me if you can)set the precedent years ago that talent displayed through criminal means can be used for non-destructive purposes, so why ought hacking be any different? If the system failed these individuals before and they elected to vent their abilities on the system is it not better to harness that talent than enforce its containment, which clearly has not worked to-date?
10. Ian Livermore
You can Hijack a Plane cause mayhem land it in the UK and be allowed to stay, so writing a virus is nothing but educational. Lets have a lottery fund for virus writing.
11. John H Woods
Consultancy answers 1 ("yes --- and no") and 1b ("it depends") must surely apply. Consider the following questions:
Has the hacker been punished?
Have they declared themeselves reformed / expressed remorse?
Are they really skillful (i.e. much more than just a script kiddie)?
Are they --- after their prison term --- still able to get back up to date, and still able to work regular hours?
Will they be working in a close team or under close supervision?
If the answers to all these was yes, then the answer to 'would you hire this hacker' would surely be in the affirmative. How many 'no's are required to make the answer negative must surely depend on the hirer, but only an idiot would hire someone for whom all the answers are no.
On its own the question is meaningless, as is any comparison to the case of Harold Shipman. (I was going to put a sarcastic comment but I'm not witty enough. So go to BBC R4 website, and 'listen again' to Jeremy Hardy addressing the Nation on 'how to argue a position')
12. Ryan Stephenson
The implications of bringing in a person who has shown a lack of ethics or moral judgment far outweigh the skill set of this individual. Hiring these persons is an enormous error in managerial judgment and only serves to discredit the companies' credibility in the industry.
Personally, I will not do business with a company who knowingly employs convicted computer criminals. It's just not good business. You can hire some of the best white hat hackers on the planet without compromising the ethical integrity of your company. Sensationalizing malicious computer or internet activity seriously makes me question the motives of a company. After all, the more computer crime that takes place, the bigger profits for security consulting and software companies, no?
I know that I am not alone in my feeling about not doing business with computer criminals, and corporations who are essentially taking themselves out of the competition for sales or contracts by hiring individuals such as this are acting in a very short sighted manner.
13. Paul Smith
Captain Crunch is perhaps one of the better known Hackers turned game keepers. I think it is inevitable that companies hire criminals without knowing it. How many hash smokers or occasional cocaine users work in white collar jobs? To answer my own question quite a few in my years of experience in the IT industry. I am not saying that should be a white card to every script kiddie or virus writer out there, but there is a certain logic to hiring these people. If nothing else it helps you look at the mind set.
14. Marvin
Absolutely No way should a hakcer be aloud near anything to do with data ever.... Peadophiles are kept clear of children.
Hacker are untrustworthy law breaking individuals who because of the "HiTech" nature of their crime need 24/7 monitoring near PCs and Networks
15. Ryan Stephenson
Companies will always hire criminal or unethical people unknowingly. However, hiring someone who you later find to be a drug user does not compare to this scenario at all. The key here is also "unknowingly". You sure don't see a lot of corporate recruiters scouting rehab centers.
Would a bank hire a teller who has been convicted of embezzlement? Would a pharmaceutical company hire someone convicted of running a meth lab? Would a security firm hire someone convicted of armed robbery?
It's seems ludicrous to think that they would.
However, by the logic of some, these people should be perfect candidates for jobs in related industries, as they have unique experience, even though it may be outside of the law.
16. Angus Doyle
A virus writer or script kiddie really does not cause physical harm to an individual and most of the damage is borne by the corporate world.
When you think of the psychology behind the creation of a virus, you will come to see that these people are just misunderstood little sad individuals and hardly a huge risk to the world at large from an employment point of view.
These people spend so much time with there machines that they see it as there life partner, and when you have a partner that you love and share all with its only right that you would want to have offspring, the virus is the life that is created by both the human and machine, and its only natural that a father would want to see his child spread his wings and see the world.
Where is the Malice in that? (being a devils advocate here)
The sasser virus was a work of art from a coding point of view, either by pure dumb luck or talent, the author created something that he could have been really proud of.
Hire them? Don’t hire them. The fact of the matter is that these kids keep most of us on our toes, and in our jobs. I would however rather do without them, but hey I would rather do without a lot of things.
We live in a world controlled by Governments and Secret Organisations, when one person can beat them all even for a day. It makes me sit back and think "Maybe, just Maybe there is hope"