After Ebay got hacked, someone asked Rob O’Hara why they don’t just hire hackers to stop the hackers.
That’s a more complicated question than it sounds like. The simple answer is that most companies do, but their hackers don’t find everything. The more complicated question is one of ethics.To me, I’m inclined to answer the question why a company wouldn’t turn around and hire the people who just hacked them with another question: Would a bank hire someone who just robbed it as its new security guard? Probably not–because someone whose morals permit them to rob a bank once are likely to rob it again.
And I’ll tell you a story. Last month, a vice president of my employer challenged us to breach the defenses around one of the company’s computer systems. I won’t go into the details of what he told us to breach, but he gave us two files and told us to steal them. The only rules, besides not stealing anything besides those two files, were that we had to tell him what we did, but we had to use company e-mail to disclose it. Aside from that, just about everything went.
The guy who designed the defenses we were supposed to breach was an old mentor of mine. He changed the direction of many people’s careers, including but not limited to mine. He taught me more than anyone else I know. He’s given presentations at hacker conferences. The guy is good–much more skilled than I am.
And yet, at last count, all of us breached his defenses an average of three times apiece, using various means. He’s good, and he thought of a lot, but couldn’t think of everything. Once they close all the openings we found, the defenses will be even better. But I won’t bet on them being impenetrable. In a year, if we repeat the challenge, chances are someone will find something we didn’t find this year.
Computer systems are a lot like cars. They aren’t perfect. Even Scourge the Wonder Honda, my 2002 Honda Civic with 205,000 miles on it, has been recalled two or three times. Scourge also failed three straight emissions inspections from 2003-2006–hence the name, Scourge. Could Honda have had its engineers obsess over the design a little bit longer to avoid those flaws? Certainly. But at some point they had to declare it good enough and release the design and start building.
If we waited around for our computer systems to be 100% perfect, we would never deploy anything. Nobody’s built a perfect one yet.
When I sign off on deploying a new system, I’m not saying the system is flawless. I’m saying that the system is good enough that the risks of not deploying it outweigh the risks of deploying it. Sometimes the system even goes out the door with a known flaw–but if I’m the one signing off on it, I know when the flaw is going to be fixed, how it’s going to be fixed, and why it wasn’t fixed yesterday.
We find more stuff than we miss, but trust me, when we find something, it doesn’t make us popular. I’m pretty confident more people see me as an obstructionist than as a hero.