Should former spies work on privacy products?
Can a killer skillset outweigh the potential reputational damage of hiring a (former) fox to guard the henhouse?
Pre-2013, most of those living in the West took online privacy for granted. Dystopian surveillance programs were viewed as something done somewhere far away, in places not yet graced by the light of democracy and freedom.
Then, Edward Snowden blew the whistle on the NSA’s PRISM mass surveillance program in the US. Following his revelations, data privacy finally began inching its way into the global conversation.
As more people became aware of how governments may be tapping our communications and how our data can be intercepted as it travels through the world wide web, the market for online privacy products like VPNs and encrypted email services began its swift ascent from niche to mainstream, and is now expected to reach a whopping $17.75 billion in North America by 2028.
However, just as with government spying, millions of users who trusted their privacy product providers to valiantly protect their data from prying eyes were in for more than one rude awakening. Over the years, multiple so-called privacy products bent the knee to government agencies or have been outed as data-gathering operations.
Does this mean that every privacy product is secretly collecting information about our online activities? Not necessarily.
However, with the recent revelations about ExpressVPN’s chief information officer Daniel Gericke’s past as a former US intelligence agent who privately worked on covert surveillance tools on behalf of the Emirati monarchy, the question of ex-spies building privacy products is now on the lips of many privacy advocates.
Hiring a fox to guard the henhouse
Seeing ‘former spy’ on a resume of someone who works on a privacy product would likely elicit an instant negative reaction from any privacy enthusiast. After all, hiring an ex-intelligence operative to protect your privacy can sound, at the very least, ominously ironic.
According to Craig Boyle, the co-founder of IT management company MSP Blueshift, the use of ex-intelligence agents to work on privacy-related products may raise concerns both among users and experts. This is because there’s always a risk that former spies “could use the information and data they have gained through their work to build products with inherent vulnerabilities.”
“There are fears that former spies may use their invention of certain products as a cover for creating security systems that are known to be vulnerable. This would give them access to even more private information without any oversight from a company,” Boyle told CyberNews.
And since the data privacy industry is mostly built on trust, hiring ex-spies to staff the C-suite could likely result in substantial reputational damage to any privacy product, as was reportedly the case with Daniel Gericke.
The value of a killer skillset
With all that said, it’s worth noting that in terms of expertise, hiring someone with the experience of working on offensive surveillance tools could be incredibly advantageous for any privacy product.
Boyle suggests that data privacy companies may hire former spies for their anonymity skills: “If a company wants to keep its security protocol anonymous, it would be helpful to have competent employees to protect it.”
He also notes that not all former spies are created equal. “There’s a difference between an operational hacker and a security analyst – the latter needs to understand how something works before knowing what needs protection,” he told us. “The more diversity in viewpoints, the better it is for securing business data.”
“Hiring former spies does not necessarily mean that the companies are proactively involved in electronic surveillance. Instead, it means they are interested in hiring people who can ensure their security systems are working well.”-Craig Boyle, co-founder, MSP Blueshift
Richard Gardner, CEO of Modulus Global, adds that both privacy and cybersecurity products are highly sensitive industries that require the best and brightest minds to build them.
“Whether you’re building technologies that enhance privacy or protect financial information, they will be tested by bad actors. It is a certainty. And those bad actors are often well trained,” Gardner told CyberNews. He argues that stopping attacks by skilled hackers and cybercriminals calls for experts to look for weaknesses and vulnerabilities in the system.
“That’s the entire concept of ethical hackers. And, if you’re looking for the best – in order to protect users from the worst – there’s plenty of reason to start your search at Langley,” claims Gardner.
Ensuring fair play
According to Andrew Lemon, the principal security engineer at Alias, while privacy companies tend to hire former intelligence operatives as professionals who have been working on the bleeding edge of offensive technology, concerns about their past remain present. And companies must do everything in their power to ensure fair play on the part of ex-spies in their ranks.
“The main concern comes from their willingness and ability to add surreptitious holes that could later be exploited. Former spies tend to have a strong sense of patriotism, so they’re potentially more easily manipulated by their governments to add back doors into products,” Lemon explains.
He believes that the best way to alleviate such concerns is to subject privacy products to audits.
“Big companies, especially software companies, should use certificates, auditing code, auditing after the fact, as well as a solid change control mechanism, and a way to digitally sign every piece of code in a secure fashion, even down to incorporating PKI certificates and hardware security modules to prevent tampering.”-Andrew Lemon, the principal security engineer, Alias
Security researcher and consultant David Lee Djangmah points to good HR as an essential tool in any privacy- or security-focused company’s arsenal. He also stresses that not all former spies are bad actors, adding that “some make good collaborators.” According to Djangmah, the trick to preventing bad apples from obtaining sensitive positions is having the right people in hiring positions. “Because, hackers or not, ex-spies or other highly-risk-mature people simply think differently,” Djangmah told CyberNews.
He believes that good cybersecurity is deeply rooted in strategic thinking and the power of imagination, which is something that many former intelligence operatives are likely to have in spades. Djangmah highlights robust HR as the linchpin of security, as opposed to “expensive security products, services, business titles, slick websites or videos.”
“Understand how to find the good apples among ex-spies, and you get consummate professionals who can fulfill your brand promise, as well as strike the right balance for optimum customer and shareholder value.”-David Lee Djangmah, security researcher and consultant at #iTHiNKLabs
Craig Boyle adds that privacy-focused companies should address potential spying concerns by ensuring that their ex-spy employees are aware of their responsibility for protecting their customers' data: “They need to be sure that if former spies are employed, they only access the information necessary to do their jobs. They also need to consider whether they will pay former spies more than other employees to account for any risk they may pose.”
Placing internal checks and balances on former intelligence operatives seems like a sound idea in theory. But will they be enough to assuage users’ fears of secret surveillance? For an industry built on trust, it might seem rather far-fetched.
At the end of the day, however, it’s up to the users to decide which privacy product to place their trust in. One can only hope they choose wisely.
More from CyberNews
Subscribe to our newsletter