The Moscow government has officially hired several individuals who were previously responsible for hacking the city’s own digital education platform, the Moscow Electronic School (MES). According to a city official, “three or four young people” who had successfully breached the MES system are now working for the city, focusing on enhancing the platform’s security and other municipal services. This decision to recruit former adversaries rather than prosecute them is a strategic pivot, aiming to leverage their unique skills and insights to fortify digital infrastructure. The names of the individuals and the specifics of the attacks were not disclosed, maintaining a level of discretion around the controversial hiring. This move reflects a growing recognition that those who can exploit vulnerabilities are also best equipped to defend against them.
The decision to bring these hackers in-house comes after the MES platform has been a frequent target of cyberattacks. In September 2022, the system suffered a major incident that experts identified as a wave of ransomware and distributed denial-of-service (DDoS) attacks, despite city officials initially blaming the outage on technical maintenance. Later that same year, there were reports of a massive data leak from the MES platform, allegedly exposing personal information of 17 million users, including students, teachers, and parents. While Moscow authorities denied the authenticity of the data, the repeated security incidents highlighted the platform’s vulnerabilities and the urgent need for a more robust cybersecurity strategy. The hiring of the hackers suggests that city officials believe the best way to prevent future attacks is to employ those with a proven ability to bypass existing defenses.
The practice of recruiting hackers is not unique to Russia; it is a global phenomenon seen in both government and corporate sectors. In Russia, a notable example is the Federal Security Service (FSB), which appointed a former hacker to a high-ranking position within its main cyber unit, a unit later accused of involvement in hacking American political figures’ emails during the 2016 presidential election. Similarly, in China, it’s reported that companies are hiring top hackers to uncover software flaws that are then exploited in cyberattacks against other nations, particularly the U.S. This trend underscores a shifting paradigm where the lines between “black-hat” (malicious) and “white-hat” (ethical) hacking are becoming increasingly blurred, and the value of offensive cybersecurity skills is recognized by state and private actors alike.
Many governments and corporations have established formal programs, such as “bug bounty” initiatives and “white-hat” hacking competitions, to legally engage with cyber specialists. These programs offer a legitimate and often lucrative path for hackers to use their skills for good, identifying and reporting vulnerabilities in exchange for compensation. For example, the U.S. Department of Government Efficiency hired a 19-year-old with alleged ties to cybercrime communities, showcasing a willingness to look past a person’s history if they possess valuable skills. This approach provides a structured framework for ethical hacking, transforming what was once a criminal act into a professional career. However, the Moscow case differs as it appears to be a direct recruitment of individuals who had already committed a malicious act, rather than a pre-emptive program for ethical hackers.
The move by Moscow authorities to hire the hackers who attacked their own educational system is a practical, albeit controversial, response to a persistent cybersecurity problem. Instead of simply punishing the perpetrators, they have chosen to harness their expertise to strengthen their digital infrastructure. This action aligns with a global trend where governments and companies are increasingly recognizing that the skills of former cybercriminals can be an invaluable asset in the ongoing battle against cyber threats. It suggests a pragmatic shift from a purely punitive approach to one that prioritizes security outcomes by utilizing all available talent, regardless of their past actions.
Reference:
