The UK government's reported decision to employ ex-hackers to work at a newly-established Cyber Security Operations Centre have met with derision from both a high-profile former hacker and an acknowledged cybersecurity expert.
Lord West, the Home Office security minister, first suggested that former hackers (or "naughty boys", as he described them) might play a key role in Britain's revamped cyberdefence strategy back in June. At the time it seemed like just another in the admiral-turned-minister's growing list of eccentric observations on various aspects of security policy.
For example, he later suggested that a net-flinging entanglement "bazooka" designed to stop speedboats might be just the job for use on "topless lovelies". This was doubtless surprising to its developers, who saw it as a weapon against USS Cole-style suicide attacks.
However, last weekend the Sunday Express reported that the MI5 had hired "50 computer-savvy hackers – some of them still teenagers – to work in a newly formed top secret Cyber Operations Command." The majority of the teens are Asians, the paper adds. All are subject to the same level of background security checks used to clear the employment of other intelligence staff. The Sunday Express helpfully adds that this means they have signed the Official Secrets Act and are forbidden from "tell[ing] their parents or girlfriends what they do in the windowless basement area in the Security Service building beside the Thames".
Lord West reportedly described the new hires as "youngsters who use their talents to stop other hackers from closing down this country".
Mathew Bevan (AKA Kuji), a British hacker arrested and unsuccessfully prosecuted for hacking into secure US government networks back in 1994, who later became a successful security consultant, helped us pick apart the many implausibilities of the story.
"These hackers were described as having been 'naughty', but did not have any criminal records," Bevan told El Reg. "How on earth they came to the attention of GCHQ without getting caught (as being caught would suggest that charges would be brought, and if not how come?)."
Bevan noted the lack of buzz about any attempt to recruit hackers by members of the security service.
"I have not heard of any UK hacker/ex-hacker/naughty boy actually having been approached to work at this level," he said. "The truth is that of course they couldn't find 50 UK hackers, because those who are actively hacking are doing their best to not get caught. So they had to outsource to India or China. This begs the question, how on earth did these people even manage to pass the stringent security checks which are performed to work within government offices? Even the USA is saying that due to the amount of hacking coming out of China, that employing Chinese to secure America's Government machines is perhaps not a good idea."
The Welsh former-hacker turned successful hypnotherapist concludes that the whole MI5 hacker-hire story is exaggerated, at best. He speculates that the motive for creating such an elaborate yarn might be one of gaining bragging rights, a posture full of contradictions.
"So this elite team of 'naughty boys', of course, it's not true," Bevan said. "The details have been exaggerated at the least but most likely have been made up, just another attempt at psyops and a way of us to look cool to the American administration, which has said it has hired hackers."
"We have to go bragging to the world that we have ex-hackers in our employment whilst at the same time we are actively trying to extradite or prosecute others. This is sending out a conflicting message as to whether hacking is wrong or a career choice. When it comes to team size, if you have to claim that you have such a big and impressive one everyone knows that its probably very tiny and disappointing," Bevan concludes.
Security consultant Rik Ferguson, someone who has actually worked with GCHQ, said that the idea of idea of hiring reformed hackers to face off against state-sponsored cyberspies, tech-savvy terrorists and cybercriminals from eastern Europe is woefully misguided.
"What really upsets me with this story is the implication that *only* young (former) criminals have the skills required to carry out the work necessary to combat cyber terrorism," Ferguson writes. "I have not personally met any of the team that have been hired for these posts at Cyber Operations Command, but I have a feeling that they wouldn’t care too much for the implication either."
Ferguson repeats Bevan's point that the government is sending out mixed messages about the legality of hacking, more influenced by Hollywood than reality, by suggesting it is both reprehensibly criminal and simultaneously a useful national security skillset.
"It is entirely unacceptable that our security services and our government are broadcasting the message that the only qualification necessary for a job in MI5 is being a hacker (one bad enough to have got caught). People who have been found to have broken the law should not be allowed to profit from their misdeeds, especially by way of an employment offer in the very field of their criminal activities. Would you hire a convicted embezzler as a your accountant? How about a teenage convicted embezzler?"
Ferguson's critique of "schoolboy tales of hiring 'naughty boys' for hi-tech derring-do" can be found here. ®