Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa.

Help Wanted From Convicted Cybercriminals

Rather than languishing in jail for their crimes, could former fraudsters turn to legitimate cybersecurity work? African cyber expert's recommendation resurrects that debate.

Closeup of handcuffs on laptop
Source: Andriy Popov via Alamy Stock Photo

The most recent ISC2 Cybersecurity Workforce Study found a shortfall of 111,000 professionals in the Middle East and Africa region. While that number pales in comparison to other parts of the world like the US, where the gap is at 522,000 — it's a significant deficit that has inspired one controversial solution.

Chidiebere Ihediwa, an African cybersecurity specialist, recently told Nigeria's Economic and Financial Crimes Commission that online scammers and fraudsters should be retrained as information technology specialists. Ihediwa said redirecting the knowledge and capabilities of these people would be advantageous to the nation. The Nigerian Economic and Financial Crimes Commission had not responded to Dark Reading as of this posting.

But is retraining and hiring hackers and cybercriminals with a shady past a realistic solution?

Going Legit

The conversation on whether to hire those who have done bad things in their past or not is not new. A similar debate five years ago had differing opinions, but one argument was that hackers with experience of conducting cyberattacks should be the best people to plan and test cyber defenses because they had the actual experience in breaking them.

How likely is it that someone with a criminal past would be hired as a legitimate IT security professional? UK-based recruitment specialist Owanate Bestman says when it comes to the recruitment process, there is a certain sympathy from some hiring managers to give those who have done wrong a second chance. But sometimes a company policy may prevent such goodwill.

"I had one of my candidates speak to HR and they flat out said 'no,' and the reasons can be quite industry-specific, but one of the reasons to say 'no' is because there is an element of fraud involved — and that eliminates you from so many positions because there is a capacity of dealing with personal data," Bestman says.

Opportunity Cost

There is also the consideration of how much a business would need to supervise the reformed cybercriminal's work. Confidence Staveley is the founder and executive director of CyberSafe Foundation, a non-governmental organization dedicated to improving inclusive and safe digital access in Africa. She says the call to retrain cybercriminals and fraudsters "is a fantastic thing to do." But, she says, such a move would require a multi-layered monitoring process, and would depend on whether the former convicts would want to work full-time.

Staveley said most full time IT security employees earn around 300,000-500,000 Naira a month, which works out around US $400, whereas a cybercriminal could be earning $10,000-100,000 a month. This has to be considered in the retraining process, as well as offering them an attractive salary.

Just how to take someone with a criminal past, pay them more than the average wage to keep them away from the dark side is doable, she says. Consider the billions of dollars that are lost to business email compromise (BEC) attacks alone, she says: if $100 million could be committed to the retraining project to pay salaries, housing, and other perks, "you would find those [cybercrime cost] numbers would drop by at least 30%."

Obviously this depends on the willingness of former cybercriminal to be repentant for their previous actions, she notes. They also could help mentor young people on how to make the right decisions online, which, along with legitimate work, would be very welcome in Nigerian society. While she acknowledges that these steps will not stop the problem of cybercrime altogether, "a combination of interventions could help," she adds.

Bestman concurs that ex-fraudsters could use their experience to teach others in an organization how cybercriminals operate to better inform their defenses. "These people with a chequered past, they are not just good from a technical position, but from the psychology, behavioral, and cultural elements of security within an organization, understanding how the user works and how the attacker can penetrate the mind of the user," he says.

About the Author(s)

Dan Raywood, Senior Editor, Dark Reading

With more than 20 years experience of B2B journalism, including 12 years covering cybersecurity, Dan Raywood brings a wealth of experience and information security knowledge to the table. He has covered everything from the rise of APTs, nation-state hackers, and hacktivists, to data breaches and the increase in government regulation to better protect citizens and hold businesses to account. Dan is based in the U.K., and when not working, he spends his time stopping his cats from walking over his keyboard and worrying about the (Tottenham) Spurs’ next match.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights