After prison, hackers face technical limitations, limited employment prospects

As cybercrime rises and more hackers infiltrate the justice system, those released from prison say they are finding it difficult to find work.

Hackers jailed in the US and many European countries may face restrictions on computer use and Internet access after release that can last for years. Often, a person is prohibited from using web applications or technologies that can mask online behavior, such as virtual private networks, and their devices must be registered with authorities.

“Restrictions are reasonable, but they can cause complications in the rehabilitation and reentry process,” said Thomas Holt, a professor at Michigan State University’s School of Criminal Justice.

After Tommy DeVos was caught hacking into hundreds of corporate, military, state and federal government systems in 2000, he spent the next 10 years either banned from using computers or in prison. He was returned twice for violating the surveillance regime, including for using a computer.

“When you’re told you can’t do the thing that brings the most joy to you, it’s very affecting,” said Mr. DeVos, now 38 and living near Richmond, Virginia.

After his prison term, he spent several years unsuccessfully looking for a tech job, working in construction and restaurants until he landed a tech job in 2013.

Tommy DeVos, who served time in prison for hacking federal government websites, now works for software firm Braze and runs a bug bounty hunt through HackerOne.



Mr. DeVos, a self-described “reformed black hat,” now works in cyber security for a software company

Solder Inc.,

and looks for software bugs and other vulnerabilities as a bug bounty hunter for HackerOne Inc., a firm that helps companies work with security researchers.

Alex Rice, co-founder and chief technology officer of HackerOne, said anyone can participate in HackerOne’s public programs as long as they follow certain rules and a code of conduct that prohibits blackmail, unauthorized disclosure of personal information and impersonation.

Braze CTO John Hyman said the company does not hire people with convictions for violent crimes or crimes such as embezzlement or fraud. He said Mr. DeVos’ conviction was not “material to his role” at Braze.

The cyber industry is expected to face more situations that require managers to decide whether to hire convicted hackers. Last year, the FBI received 847,376 reports of cyberattacks, a 7% increase over 2020.

Many hackers have the right kind of technical and critical thinking skills need a cyber specialist. In some countries, such as Belgium and the Netherlands, technical restrictions on freed hackers are rare, said Catherine Van de Heyning, a Belgian prosecutor and law professor at the University of Antwerp. Many judges deny such requests from prosecutors, saying the restrictions would impair a person’s ability to work and reintegrate into society, she said.

One step towards a corporate job for a convicted hacker obtaining a certificate from a respected cyber organization. But this is not the path that many people follow. The International Information Systems Security Certification Consortium, a key training organization, has received fewer than 10 applications over the past decade from individuals accused or convicted of cybercrimes, said Clair Rosso, the consortium’s executive director.

Individuals are ethically trained and vetted before receiving (ISC)2 certification, whose code of ethics requires applicants to “act with dignity, integrity, fairness, responsibility and law.”

“It is very unlikely that we will allow them to do our certification because of how closely it involves violating our ethical codes,” Ms. Rosso said of the convicted hackers.

However, (ISC)2 general counsel Graham Jackson said some such applicants had been accepted, but he declined to elaborate.

In Britain, Daniel Kelly was released last year from Her Majesty’s Belmarsh maximum security prison in England after serving half of a four-year sentence for hacking several companies, including Britain’s TalkTalk Telecom Group PLC, in 2015 when he was 18. TalkTalk said , that the attack cost him £42 million, equivalent to $48 million, in the immediate aftermath, and personal data of about 156,000 customers were exposed. Mr Kelly said he did not make any money from the TalkTalk hack.

On probation until 2023, Mr. Kelly must comply with technical restrictions for another three years after that. These include having to register his devices with probation authorities and restricting his access to software and online services, such as virtual private networks, which many companies require for remote work. Every few months, the authorities seize Mr. Kelly’s devices unannounced to inspect and copy their data, he said.

The judge must decide what can be restricted for the individual and what can protect society.»

— Alison Abbott, UK National Crime Agency

“There’s a level of paranoia at all times,” said Mr Kelly, now 25, who lives in Llanelli, South Wales. TalkTalk declined to comment.

When he applied for (ISC)2 certification last year, he was told that because of his criminal record, the ethics committee would decide whether he could take the exam, be suspended for life, or apply for certification at a later date, according to from an email from the organization seen by The Wall Street Journal.

Mr. Kelly said he could not afford to hire a lawyer to send copies of his case documents that (ISC)2 had requested. “If I could get certified today, it would at least mean that in a couple of years I would still have the certification that is relevant to my field. I would still be valuable,” he said.

Post-release orders for all types of crime are designed to prevent people from re-offending, and in cybercrime cases they naturally include technological curbs, said Alison Abbott, head of the lifetime management unit at Britain’s National Crime Agency, which administers the orders.

“The judge has to make that balancing decision about what can be restricted for the individual and what can protect the community,” she said.

Mr Kelly said he was frustrated watching employers lose interest when they heard a list of technologies he couldn’t use, even though they initially seemed willing to give him a chance despite his hacking conviction.

“I still want to work in cyber security,” Mr Kelly said. “The longer it goes on, the less realistic it looks.”

Write Ekaterina Stup on

Copyright ©2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8

Source link