It’s no secret that U.S. intelligence agencies hire computer hackers for spying on and sabotaging rogue nations, terrorist organizations, and other national security threats. The intelligence community job postings for positions requiring “cyber exploitation experience” or similar expertise aren’t exactly subtle.
But have you ever wondered how applicants gain those skills before putting them to use for the U.S. government? Or have you wondered if they can still obtain security clearances if their acquisition of hacking knowledge was through unlawful means?
The reality is that most offensive hackers hired by the government gain their skills through service in the military’s cyber commands and/or by completing advanced degrees in computer science, telecommunications, or engineering. One recent job posting at NSA required a minimum of a Bachelor’s Degree in one of these or a related field, plus:
“Relevant experience…in computer or information systems design/development/analysis, engineering hardware and/or software, programming, computer/network security, vulnerability analysis, penetration testing, computer forensics, information assurance, cybersecurity, systems engineering and/or network and system administration.”
That’s the safe way to go about getting hired as a government-sanctioned hacker, but it isn’t impossible to get in with a shadier background. Much of it frankly boils down to how badly the agency in question wants your services. Nonetheless, even a hacker of unparalleled skill still needs to be blessed by the hiring agency’s security office. To do that, s/he would generally need to show that the judgment or character issues raised by the prior conduct have been sufficiently remediated (i.e., that the individual can be expected to only utilize their skill-set for employer-sanctioned activities in the future).
This can be a tricky needle to thread. But an applicant wishing to make the attempt can significantly improve their odds by showing: (1) that any ill-begotten gains have been returned or destroyed, as appropriate; (2) that restitution has been paid for any economic loss caused to a third party; (3) that the individual has deleted all software used to facilitate the hacking from his or her computers; and (4) that the individual has demonstrated reformation through an appropriate passage of time and subsequent maturation/reflection, such that the behavior is unlikely to recur.
A couple of comments on these points. First, it may not always be practical or wise to pay a hacking victim or return stolen property because doing so may implicate the individual in the crime. In those cases, the act can be accomplished either through an attorney – who is legally obligated to keep the client’s identity a secret – or, in some cases, by a charitable donation to a different entity. True, the employing federal agency will still know about the crime and can report it to law enforcement for investigation and prosecution if it is a serious offense. But the odds of legal action being taken against the perpetrator may be less than if the victim reported the perpetrator’s identity to law enforcement and demanded action. This is a risk calculous the individual should only make after consulting with a criminal defense attorney – which should always be done before applying for a security clearance with a history of recent and/or serious undiscovered criminal conduct.
Second, the deletion of software used to facilitate hacking obviously doesn’t prevent the individual from re-acquiring the same software. It is, however, a gesture of good faith and its value must be assessed as one part of a multi-pronged mitigation effort.
Ultimately, each case is assessed on its own merits, so what may be sufficient to address security concerns in one case might not cut it for the next. The point is only that not every government hire has a squeaky-clean background. Given the right circumstances, even someone with a history of illegal hacking can eventually get a security clearance. And if they do, they might just find that their skills have become highly marketable to legitimate employers.
This article is intended as general information only and should not be construed as legal advice. Although the information is believed to be accurate as of the publication date, no guarantee or warranty is offered or implied. Laws and government policies are subject to change, and the information provided herein may not provide a complete or current analysis of the topic or other pertinent considerations. Consult an attorney regarding your specific situation.