The international security expert Sandro Gaycken talks about the scarcity of hackers, what chances companies have of obtaining their services and why normal internet users are not targeted by hackers.
Mr. Gaycken, many companies are looking for qualified IT staff and good hackers. How likely is it that companies such as insurers will find highly capable hackers?
Very good hackers are willing to work for companies, but they are not cheap. There are good hackers on both sides of the fence. They are not necessarily the bad guys. The majority of talented hackers have always been “good guys” and were never criminally inclined. Just like me. I have no intention of becoming a criminal, although with my talents I would have made a great Mafia boss (laughs). This is also true of hackers. They can hack but they don’t want to be criminals. They start out as hackers and if any are criminally inclined, then they will become criminals. There is no “light and dark side”. The hackers that work on the light side used to face the problem that nobody wanted to hire them except organisations that need to hack, such as banks, the police, etc. A lot of them did systems admin jobs for a pittance. That was until the cyber security hype took off. In the early days, everyone thought you just needed to buy a firewall and that was it. Then they noticed that the technology in this whole IT security game has a very short shelf life. And that you need to go much deeper into the architecture of the whole thing. The large IT companies noticed this fairly quickly and started to employ hackers. That is when they realised that actually there are not that many hackers around. The Chaos Computer Club may have 6,000 kiddies every year, but there are perhaps 40 to 50 real hackers active in all Germany.
So hackers are scarce?
Yes, it is the same in other countries as well. And that is what started the race for talent. Because everyone realised that the most sensible thing you can do is to harden architectures and recruit elite hackers. Currently, the main employers of hackers are Amazon, Google and Apple. They have even established their own hacker hubs, for example Google with Project Zero in Zurich, in order to poach talent in Europe. And now the problem for German companies is that the really good hackers and penetration testers are being hired with an annual salary starting at €300,000, and going up to €1.2 million. German authorities would also like to have hackers in their ranks but they only pay up to €80,000 a year for a job in some Munich suburb with little to no chance of advancement. And German industry wants to hire hackers, but not pay more than €100,000 to €120,000 a year. Then they only get the ones that the companies in Silicon Valley don’t want.
Is this war for talent just about money? Or do companies have a chance if they offer a pleasant working environment and other benefits?
Money matters to all hackers, and more to older hackers than younger ones. But younger hackers are also in it to seal their reputation – fame in the game. Seeing which top-notch hackers they can work with. Google Zero was clever in this respect. The first hackers they hired were very well known in the scene, which attracted many others who thought “I simply must work with these people”. Then you have the very easy-going working atmosphere coming over from Silicon Valley, with lots of opportunities to work from home. German companies really struggle with this. They put a ping-pong table in the office and think they have cracked the culture, which is simply not true of course.
Are companies that cannot attract many good hackers at a strategic disadvantage? Or do they still have a chance of warding off attacks?
Well, some of them do get hold of able people. A few of the DAX companies already had a couple of good hackers on board who then attracted others. It is not all bad. But you have to be flexible if you want to compete in this league.
Some manufacturers – of antivirus software, for example – regularly spread panic, claiming that normal internet users are in constant danger of being bugged, spied on and having their cameras hacked.
It’s complete nonsense, that even Telekom likes to spread. Warnings about hundreds of thousands or even millions of attacks every day. Those are just variations of automatically generated attacks on existing structures, which are relatively harmless. A €40 firewall from your local electronics shop is enough to defeat them. What are really dangerous and can even hack the camera on a Mac are targeted attacks that cost a lot of money to stage. You can see the prices hackers charge for these on the internet, for example on Zerodium’s website: a customised attack on a Mac costs about €2m to stage. This may be deployed several times but it is terribly expensive to achieve on a Mac. As soon as it is detected, it becomes ineffective for all platforms. In other words, it is not something you would just waste on the masses. But there are paranoid conspiracy theorists out there who believe that just because they once wrote a blog article about Angela Merkel they are being monitored by the secret service. Which is far removed from reality. The same is true of covering the camera on your laptop. If you are not a key person in an international terror network, just forget about it.
The chances of an everyday internet user being hacked are very slim, then?
Of course. Why would anyone bother? Why would anyone spend €2m to hack a computer science student? It is complete nonsense.
How do you protect your computer? Do you only have Macs at home?
Yes, it makes things so much easier.
Interview: Helge Denker