The U.S. Army ventured into unfamiliar territory last week, the first day of its “Hack the Army” bug bounty program that challenges dozens of invited hackers to infiltrate its computer networks and find vulnerabilities in select, public-facing Army websites.
"We're not agile enough to keep up with a number of things that are happening in the tech world and in other places outside the Department of Defense," explained Army Secretary Eric Fanning in announcing the plan in mid-November. "We're looking for new ways of doing business," which includes a break from the past when government avoided working with the hacker community.
Like the Army, enterprises are also realizing that the term hacker is not synonymous with criminal, and that hiring hackers may be the only way to keep up with the real bad guys.
Some 59 percent of executives surveyed by Radware and Merrill Research have either hired or would hire an ex-hacker as a way to inject cybersecurity talent into their workforce. More than a quarter of organizations have been using ex-hackers for more than two years, according to the survey, including so-called white hats or ethical hackers, gray hats – those who skirt the law or ethical standards but not for malicious purposes -- and black hats who operate with malicious intent.
Postings for ethical hacker jobs on the tech career website Dice.com has jumped from 100 jobs in 2013 to over 800 jobs today. “While that’s still a small number considering there are more than 80,000 tech jobs posted on Dice on any given day, it’s clear demand for these professionals is growing rapidly,” says Bob Melk, Dice president.
“Hackers are exceptionally skilled in finding the little tiny things that other people forget – those vulnerabilities you don’t know yet, things you thought you fixed but not entirely properly,” says Alex Rice, CTO and co-founder of HackerOne, a bug bounty platform with 70,000 hackers in its community. “Every organization out there has something they’ve missed.”Organizations are willing to assume the risks in exchange for access to the unique mindset and skillset of a hacker.
“We’ve seen it on the vendor side for years, and now we’re starting to see it on the user side, as well,” says Jon Oltsik, senior principal analyst and the founder of cybersecurity service at Enterprise Strategy Group. “Someone who hacks for fun or who hacked as a researcher -- those people certainly could be great hires. They make good hunters and forensic investigators. They may not have the certifications, but they have the skills.”
But hiring someone who’s had a run-in with the law for hacking has its risks, and companies must weigh those risks against their objectives. “Should you hire felons or criminals regardless of their background? That depends. In some cases, it might make sense” based on their individual risk assessment, Rice says.
Sign up for Computerworld eNewsletters.