Bad Idea: Putting Hackers on Vendors' Payrolls

We have definitely become a nation that glorifies and rewards bad behavior. How many times will we watch the train wreck named Britney Spears make a fool out of herself? How many people are offering Lindsay Lohan a drink and then snapping a picture as she falls face first to the pavement? Will either of them self-destruct, à la Anna Nicole Smith, as we breathlessly wait for the next salacious tidbit about their troubled lives? Unfortunately, such sordid tales are no longer limited to the entertainment world because IT vendors are now rewarding the industry's bad boys: hackers.

Fortune's Andy Greenberg wrote an interesting article that outlines the budding relationship between vendors and hackers. Companies such as Cisco, Microsoft, and 3Com have begun working closely with these criminals, in some cases hiring them to test their new product code, paying them handsome consulting fees, and even buying information about known bugs. Cisco has even set up a 24/7 hot line and a secure system, so hackers can send the company encrypted messages about newfound vulnerabilities. Now, isn't that special?

Maybe I'm just too much of a black-and-white, right-and-wrong person, but such moves annoy me. Should the corner grocery store start scouring the neighborhood and paying local thugs to expose all of its security flaws? I know that companies hired hackers in the past, but my impression was the bad guys were placed in sequestered areas and their work was closely monitored. These moves were designed to place them in solitary confinement; now, companies are paying for their trips to Club Med.

The issue of hiring hackers as consultants is fraught with potential problems and conflicts of interest. Small and midsize companies already have to maintain a delicate balance between providing reputable outsourcing and consulting firms, such as IBM and Capgemini, with access to sensitive data and making sure that corporate data is protected. Knowing that the person who may work with the company's data is a hacker would seem to increase rather than decrease the likelihood that potential security holes will be breached.

I also question the hackers' motivation. Why would they be interested in helping companies close up security holes? If that were what they wanted to do with their lives, then they could get jobs with software vendors' quality assurance teams. Vendors would be quite willing to hire individuals able to identify potential software holes. I think many of these hackers are simply not as proficient as they claim to be and probably were turned down for such positions when they applied. Now, they're forcing their way into the company through the back door.

Another disturbing trend is hackers who are starting to monetize their work. Rather than simply launching a Trojan horse or other malware and exploit a security hole, they are putting their work up for auction on sites such as eBay. Vendors are now able to bid on buying examples of security holes, paying as little as a few thousand to as much as hundreds of thousands of dollars for product bugs, bringing a whole new meaning to the expression, "You can either pay me now or pay me later."

I wonder who these companies make their checks out to. Somehow, I can't envision my local teller cashing a check made out to MegaHacke112 or many of the other pseudonyms hackers devise in order to mask their true identities. Why would a company want to engage with a person who isn't mature enough to use his real name?

Another item to consider is that organized crime has become a prime-time hacking group, manufacturing much of the malware (estimates range from 50% to 80% of spam comes from said individuals) that now permeates the Internet. Eastern European mobs aren't interested in simply having a virus run amok on a corporate network. They're backing the increasing number of identity theft rings that have made consumers leery of completing online transactions. Organized crime's pump-and-dump schemes convince novice investors to buy "hot" stocks, only to see their investments shrivel and die in a week or less. The idea of paying hackers to identify software bugs now provides the criminals with another avenue to pump up their coffers, only this time the money is coming from Microsoft and Cisco and not Uncle Bill and Aunt Minnie.

For years, vendors have tried unsuccessfully to thwart hackers. The idea of co-opting them now seems appealing, but the risks from such a strategy outweigh the potential rewards. Vendors should be working with law enforcement agencies to put hackers in jail, not rewarding their bad behavior.

What do you think of the trend of vendors teaming up with hackers? Do you think it will be effective? If you were a supplier, how would you deal with the bad guys?

Paul Korzeniowski has been writing about networking issues for two decades. His work has appeared in Business 2.0, Entrepreneur, Investors Business Daily, Newsweek, and InformationWeek. He is based in Sudbury, Mass.