The View

To catch a thief, it’s best to employ one

A new generation of so-called ‘white-hat hackers’, often ex-cons, has been created to help some of the world’s biggest organisations detect and fix system vulnerabilities

PUBLISHED : Wednesday, 10 August, 2016, 10:40am
UPDATED : Wednesday, 10 August, 2016, 10:43pm

Who better to catch a thief than a thief? The old maxim has lost none of its resonance, after all who knows more about how thieves think and operate, than thieves themselves?

Armed with this kind of logic many corporations and indeed governments have employed the services of criminals (usually ex-cons) to help them keep criminal threats at bay.

Of course, these services are dressed up in the fancy language of security precautions and the like but the reality is that they are hiring criminals or quasi-criminals to catch criminals.

These days companies feel especially vulnerable to attacks from cyberspace and live in fear of hackers getting into their systems and holding them to ransom or, perhaps even more alarming, not holding them to ransom but exposing them to fun seekers who revel in creating havoc.

Last week the mighty Apple Corporation, that prides itself on having devised secure and impregnable systems, offered rewards of up to US$200,000 to so called ‘white-hat hackers’ to help detect and fix system vulnerabilities.

In case anyone was left in any doubt as to the nature of this offer, Apple declared it to be a ‘bounty program’.

The idea was unveiled at the Black Hat conference in the US that brings together people who describe themselves as IT security professionals, but are often known as being sophisticated hackers. It is a big event, attracting a growing number of attendees.

Apple is not the first, nor will it be the last, big company to pay hackers to catch hackers.

In February Facebook admitted that it had paid out $4.3 million since 2011 to more than 800 ‘researchers’ for this kind of assistance.

Last month Google said it had given an unspecified number of people a total of $550,000 to help identify vulnerabilities in its Android software

And last month Google said it had given an unspecified number of people a total of $550,000 to help identify vulnerabilities in its Android software.

Recent revelations of bug problems in Android phones, however, suggest that more needs to be spent.

Other large corporations, notably Chrysler, United Airlines have also paid hackers for assistance.

But none of them have handed over as much as the United States government, which gave one group of hackers a sum believed to be in the order of $1m for helping to hack into, wait for it – Apple’s iPhone encryption system – after failing to persuade a court to order Apple to hand over details of the contents of a phone belonging to an alleged terrorist wanted for murder.

The court balked at this request and rather than attempting to overturn the ruling, the US Department of Justice took a speedier route to obtain this information.

This raises questions over both the legitimacy and probity of the government’s actions.

No one, however, is under any illusion over the scope of the problem facing companies who worry about hacking.

At last year’s Black Hat conference, attendees participated in a survey showing that 72 per cent of their organisations were contemplating dealing with a major data breach in the coming year.

And two thirds of respondents expressed concern over a lack of resources to meet this threat.

Welcome, then, to a new era that has so many parallels with previous eras in which threats to company security were handled by getting those with the dirtiest of hands to keep threats at bay.

Hong Kong companies, especially smaller businesses, used to be plagued by organised criminal gangs seeking protection money and found that the easiest way of avoiding nasty things happening to their premises and personnel, was to pay up and indeed to shut up about these payments.

A side benefit of paying up was found to be that not only were businesses able to avoid attacks by the extortionists but they were also protected from rival gangs seeking to extort cash.

In some parts of Hong Kong these rackets have not gone away but the days when the police were active participants in the protection rackets have thankfully largely disappeared.

Paying hackers to catch hackers is not so very different, even though this assertion is likely to be greeted with some considerable annoyance by the growing band of white and black hats operating in the cyber world.

More fundamentally it emphasises the wider truth that in business there is less black and white than might be imagined.

Companies get involved in dirty stuff in a whole range ways,. If you doubt this think about the large coterie of so-called middlemen who are active in business with the mainland.

Do you seriously believe that they are simply offering sage strategic advice? If so it often comes in the form of advice about which envelopes to stuff with cash and which offshore bank accounts need to be replenished. It’s a murky world out there, full of quite ‘respectable’ people.

Stephen Vines is a Hong Kong-based journalist and entrepreneur