Help Wanted From Convicted Cybercriminals

The most recent ISC2 Cybersecurity Workforce Study found a shortfall of 111,000 professionals in the Middle East and Africa region. While that number pales in comparison to other parts of the world like the US, where the gap is at 522,000 — it's a significant deficit that has inspired one controversial solution.

Chidiebere Ihediwa, an African cybersecurity specialist, recently told Nigeria's Economic and Financial Crimes Commission that online scammers and fraudsters should be retrained as information technology specialists. Ihediwa said redirecting the knowledge and capabilities of these people would be advantageous to the nation. The Nigerian Economic and Financial Crimes Commission had not responded to Dark Reading as of this posting.

But is retraining and hiring hackers and cybercriminals with a shady past a realistic solution?

Going Legit

The conversation on whether to hire those who have done bad things in their past or not is not new. A similar debate five years ago had differing opinions, but one argument was that hackers with experience of conducting cyberattacks should be the best people to plan and test cyber defenses because they had the actual experience in breaking them.

How likely is it that someone with a criminal past would be hired as a legitimate IT security professional? UK-based recruitment specialist Owanate Bestman says when it comes to the recruitment process, there is a certain sympathy from some hiring managers to give those who have done wrong a second chance. But sometimes a company policy may prevent such goodwill.

"I had one of my candidates speak to HR and they flat out said 'no,' and the reasons can be quite industry-specific, but one of the reasons to say 'no' is because there is an element of fraud involved — and that eliminates you from so many positions because there is a capacity of dealing with personal data," Bestman says.

Opportunity Cost

There is also the consideration of how much a business would need to supervise the reformed cybercriminal's work. Confidence Staveley is the founder and executive director of CyberSafe Foundation, a non-governmental organization dedicated to improving inclusive and safe digital access in Africa. She says the call to retrain cybercriminals and fraudsters "is a fantastic thing to do." But, she says, such a move would require a multi-layered monitoring process, and would depend on whether the former convicts would want to work full-time.

Staveley said most full time IT security employees earn around 300,000-500,000 Naira a month, which works out around US $400, whereas a cybercriminal could be earning $10,000-100,000 a month. This has to be considered in the retraining process, as well as offering them an attractive salary.

Just how to take someone with a criminal past, pay them more than the average wage to keep them away from the dark side is doable, she says. Consider the billions of dollars that are lost to business email compromise (BEC) attacks alone, she says: if $100 million could be committed to the retraining project to pay salaries, housing, and other perks, "you would find those [cybercrime cost] numbers would drop by at least 30%."

Obviously this depends on the willingness of former cybercriminal to be repentant for their previous actions, she notes. They also could help mentor young people on how to make the right decisions online, which, along with legitimate work, would be very welcome in Nigerian society. While she acknowledges that these steps will not stop the problem of cybercrime altogether, "a combination of interventions could help," she adds.

Bestman concurs that ex-fraudsters could use their experience to teach others in an organization how cybercriminals operate to better inform their defenses. "These people with a chequered past, they are not just good from a technical position, but from the psychology, behavioral, and cultural elements of security within an organization, understanding how the user works and how the attacker can penetrate the mind of the user," he says.