What if we got it all wrong about hackers? What if hackers were tomorrow’s best hope from freedom and a valuable work force for compagnies? Cybersecurity expert Keren Elazari takes us behind the cyberlines, where ISIS is vulnerable, where our legal system seems obsolete and where future geopolitical strategies might just be decided…

Keren Elazari, experte en cybersécurité et speaker USI 2017

Could you talk us through your background a bit? What were the milestones of your journey towards cybersecurity and hacktivism?

The funny thing is, cybersecurity and the hacker world is not just my background, it really defines who I am. Even as a child, I was always really interested in technology and curious about how things worked. I would break things, take them apart, crawl under the table to disconnect the cables and see what happens if I put them somewhere else. My parents have a lot of stories about my childhood pranks!

I think one of the first milestones was getting the Internet, which was in 1993 in Israel. I was around twelve or thirteen and super excited about it—though I didn’t really know what it was! I spent so many hours exploring this world that would never end. That’s how I got interested in this idea of being a hacker.

Sometimes I would find password-protected websites and get really curious about how to get passed those restrictions. I first learned by copying and pasting other people’s tricks and spent a lot of time on IRC (Internet Relay Chat), which was one of the earliest chat networks in the world. That’s where I met some of the first hackers in my life and learned from them. I actually learned English there, at least how to have a written conversation in English through the computer. Later, I met some of these hackers in the real world when I went to a hackers’ convention in Israel. It was in 1999, I was around 17.

Another important milestone is the movie Hackers that came out in 1995. I always talk about this movie in my presentations, because it really gave me the calling. It showed me a hacker could be a hero of a story, and could be a girl! In the movie, it’s Angelina Jolie, pretty much the coolest person in the world from my point of view. Everything was exactly right for me in that cultural moment, exactly what I needed to see and hear to understand it was my calling. There is a scene in particular where the leading characters, the hackers in New York, ask other hackers around the world to help them. You see a montage of hackers in France, Korea, Spain, Germany… That’s what gave me the clear understanding that being a hacker was not just an isolated, local thing. It’s a global phenomenon. I belonged to this “hacker nation”—this was where I wanted to be. You could say I have a romantic vision of hacking!

A lot of people criticized the movie for not being technically accurate. It was very different from the series Mr. Robot, for example. Everything in Mr. Robot is absolutely legitimate, even scripts and codes (I checked!). The movie Hackers was not like that: these kids could do pretty much anything: control traffic lights, hack into the FBI database … this was not realistic in 1995. But much closer to reality now!

You started in “information security” but now it is called “cyber security.” What is the difference and when did that transformation occur?

Keren_Elazari_RSThat’s a fundamental question. Information security used to be about protecting information, secrets. It might be our credit card number, or the secret formula for Coca Cola or Chanel N°5. That’s what information security professionals wanted to protect. Today, it’s not just about protecting secrets, it’s really about protecting things like the traffic light system, the energy system, airplanes, navigation systems, GPS, medical devices like pacemakers… We’re clearly dealing with something other than secrets. In my opinion, the global and cultural change from information to cybersecurity occurred in 2010—specifically in the summer of 2010—that I like to call “The Summer of Stuxnet.” That was the code name for the virus that disrupted the uranium enrichment facilities and centrifuges in Iran. Stuxnet as a software showed the world that 15,000 lines of code could actually disrupt physical infrastructures. It was huge in terms of geopolitics. Heads of governments probably understood then the strategic impact it could have. Some countries had realized it earlier, some would later. But generally, the decade of cyberwarfare officially began in the summer of 2010.


You might also like:

Mikko Hypponen – Securing our future: the new face of cybercrime


 

Some media actually relate this event to the situation with North Korea today and how cyber weapons might be… the best of the bad solutions!

I’m not going to make any moral judgment about Stuxnet, and will look at it from a purely logical point of view. Or even from the point of view of cost effectiveness. If you consider developing that kind of cyber weapon, with the best experts, it might cost you 2 or 3 million dollars, or even 10 million dollars. Then you can deploy it over a period of time, covertly—so without a big “bang”, without people even noticing— and actually achieve your goal. If we contrast that to the cost in human lives, and in US dollars, of sending a bunker-busting bomb on a hyperjet and maybe having an international conflict break out because of it… well that’s easy math!

If I was a head of State, it would be very clear to me that cyber weapons are the best “tools” available. Not just because countries like Iran and North Korea are hard to reach diplomatic agreements with, but also because it’s a very effective way of making geopolicy or enforcing a policy in the world.

It’s thus not a surprise that we are seeing this same approach—that is using cyber weapons to influence and manipulate the geopolitical landscape—with Russia and the United States… It should be very clear that, if you are a politician who wants to influence the world and you have great hackers in your country, you would use that power to shape the world to your liking. We shouldn’t be so shocked to know that—it’s a reality. Truth is, there are ways to manipulate democratic elections or the public’s perception of a democratic process. Simply by providing lots of data, conducting espionage and leaking emails, you can actually change the course of an election. You probably have the same kind of thoughts in France, especially now with the elections. There are lessons to be learned from what happened in the United States. And they better be learned now!

I’d like people at USI to start thinking very differently and very critically about how cybersecurity changes our world, as well as about the world of hackers.

Precisely, how can we change the negative connotations that are attached to hacking so that this becomes a valid career that our next generation will be encouraged to pursue?

Right now, hackers represent an incredible force for change. It doesn’t have to be a scary change or have a negative impact, as we often imagine. It really depends on how companies, governments or organizations learn to collaborate with hackers or harness their power.

One great example is the Bug Bounty Program. It’s kind of like the Wild West, where a sheriff could offer a bounty to get the public to help him find the bad guys. The Bug Bounty program is a way for companies like Microsoft, Google, Paypal, (amongst many others) to offer a reward to hackers for finding problems: security issues or software bugs from their websites and online products, etc. This program is not a solution to all cybersecurity problems in the world. But it represents an incredible force of working with hackers in a productive way.

The Bug Bounty programs have become very much mainstream and getting more adopted by more traditional organizations. It’s not a surprise that companies like Facebook or Tesla work with hackers and learn from them. The Pentagon itself launched a program with hackers called “Hack the Pentagon“, because even the most-established icon of defense has leaks and security breaches. “Hack the Pentagon” has people all over the world that have applied to participate and help them find bugs. It’s not just a great way to find security problems, again, it’s cost effective. Last month I met one of the women that manages the program and asked her how they convinced the Pentagon to open up and work with hackers. She said that it was not the policy of working with them, but the economic benefit that was convincing!

Exemple de hacker participant au Bug Bounty Program mis en place par Facebook

When I suggest to a company to run a Bug Bounty Program, I often get this question: “Aren’t we actually asking the bad guys to hack us?” But here is the wake up call: bad guys, criminals, don’t need an invitation. They are already hacking anyone they can just to make money and get information. This is why I use the term “criminal”. They are very well organized and very well funded.

With programs like Bug Bounty, we create an incentive and the opportunity for hackers to actually report problems, get recognition for their job and maybe even earn some money.

There are more than 100,000 friendly hackers registered in a variety of programs like BugCrowd and HackerOne—which are like social networks for friendly hackers. They are from everywhere in the world: Europe, US, Asia, South America, the Middle East… In some countries, hackers never had the opportunity to legitimately do security research work and legitimately get paid for it by big companies. This is a major development. It’s not just helping companies—it’s creating the future workforce. These programs are also creating an alternative to the criminal cyber world, especially for young people. You can start considering making this a life-long career like I did. This is changing the face of the industry.

I was very lucky to be born in Israel where being a hacker is not seen as a criminal thing. Being a “hacker” was also the nickname for being clever, creative… When I  joined the army, I was able to say “I am a security expert, a hacker. Here are the things I know. I would like to help the army defend its own system”. And I was able to find my way into that instead of being criminalized. I had an alternative. It’s not the case in the majority of other countries.

Hacking is condemned by the law, yet some governments actually work with hackers. Let’s set aside the hypocrisy here… Do you see anything changing in the legislation itself that could lead to legalizing this field in the near future?

That’s a really good question. I’m not a lawyer, but my sister is! She’s an expert in cyber law and intellectual property. Apparently, law systems around the world criminalize hacking in different ways. Changes in the legislations are already happening. Sometimes because governments or lawmakers like congressmen and senators feel like they need to change it, or the FBI or police ask them to. But sometimes the change is driven by organizations like the EFF (Electronic Frontier Foundation) in the US.

The EFF has been working on changing the legislation, especially the Computer Fraud and Abuse Act. It was originally created in the 80’s or 90’s so it can’t possibly match the reality of today. This hacker-minded organization is actually looking out for our liberties. They are leading battles against surveillance, defending people’s rights to digital privacy, etc. This is the kind of organizations that we need, and there are not many of them in the world. There is La Quadrature du Net in France.

There are also things that can be done at a company level—even if hacking is criminalized in your country. For example: a company called Oracle wrote down in its terms of use (the thing that nobody reads but everybody signs!) that if you reverse engineer their software to find a security vulnerability, you are breaking the law, or at least their agreement. The company makes it look like a one-sided decision. But you can make a different one, like Google did, saying: “If you reverse engineer our software in the purpose of revealing a security problem, and you don’t sell that vulnerability on the black market, then you’re not a criminal and we’re not going to press charges”.

Hacking doesn’t have to be illegal by definition. See how Hackathons work! Hacking is about creating new technologies, cultivating new ideas and innovation. It’s about curiosity, the pursuit for knowledge, wondering what else you could do with a specific technology. I can relate this to movies like The Matrix; it’s about not accepting reality as a “read only” situation. It’s about changing our technical reality, or even our political reality. It’s about making a difference, even as an individual.

“Hacking is about changing our technical reality, or even our political reality” @k3r3n3

Is it the same with hacktivism? How exactly would you define this movement?

The outlines are perhaps not as clear.

Logo du groupe de hackers TelecomixWe all know Anonymous, but let’s talk about a different group called Telecomix. They are mostly European hackers (including French and Canadians), and they are the ones that actually helped the Egyptians have access to the Internet during the Egyptian Revolution of 2011. Which wasn’t legal at all from Mubarak’s government’s point of view. But sometimes, especially in dark times, there is a different type of civilian action that needs to be taken. And hacktivism actually creates the path for people to do something.

In the past years, we witnessed the rise of ISIS and other terrorist groups. These groups use Twitter, chat rooms and the Internet to radicalize people and lead their hate propaganda. Anonymous and other hacktivists actually have techniques to take down their networks, or at least make their life harder. That’s very strategic because they are acting in domains where law enforcement is still rather weak.I showed some officials in my own country how the fight against ISIS works on social media, and even people working on social media diplomacy didn’t realize the impact that ISIS had on twitter and they didn’t know that hackers could decide to make an organized action against ISIS in the digital realm. Of course, we could argue that taking down a twitter profile is not the same as stopping a bomb from blowing up, that’s true. However, it has been proven by counter-terrorism experts that the digital realm is a significant field of operations, radicalization and media for organizations like ISIS. As a hacktivist, you can play in that native playground against ISIS and actually create some sort of disruption.

What is the most promising and exciting idea you see coming from the hacking world in the future?

There are two specific areas that I’m very excited about. One is medical devices and the hacking of medical devices. The other is automotives. As you heard, I’m sure, there have been proof-of-concept demonstrations showing the capacity to take over a vehicle, like a Jeep, or to connect remotely to a pacemaker and change the way it works.

I’m really excited that the past few years, there has been a really strong movement of friendly hackers who have focused their energy and research not just on showing and demonstrating the vulnerabilities, but also on working with the industry and the regulators in some cases, to make a safer world. If you consider the way everything is becoming digital, we should consider that a car company also has to become a cybersecurity company. Same with medical companies or airline companies. By providing internet access on their airplanes, they have to start thinking like an ISP (Internet Service Provider). They all have to understand that their products are now closely connected with cybersecurity issues. And that’s a difficult thing for them to do.

I can see a fantastic dynamic interest in the friendly hacker community in these areas. It’s more and more about collaboration between hackers and governments, and most importantly with the companies that make these products and technologies.

logo du groupe de hackers I Am The CavalryI’ll give you an example: one of the hackers movements that I’m a part of, called I Am The Cavalry, invited one of the chief regulators of the FDA (Food and Drug Administration) to come to Las Vegas to a hackers’ convention and meet some of the hackers that are looking into medical device hacking. They also invited the person in charge of product security at Johnson & Johnson. And because of this conversation, when a hacker found a vulnerability in one of Johnson & Johnson’s devices, he was actually able to show them the problem, solve it, and get the regulators’ blessings for doing so! You know regulators don’t usually move fast and companies don’t like to make regulators nervous! Reporting on a security vulnerability in a life-saving product is something that could make a regulator pretty nervous and damage the reputation of a company. By having this conversation, they were actually able to make a safer product, faster than ever. Now I think about Johnson & Johnson in a different light. In my opinion, they gained a more sophisticated approach to cybersecurity. They understood hacking was a valuable asset.

That’s what friendly hackers are capable of, when you have the open mind to listen and work with them. That’s the reason I’m coming to USI. That’s what I’m all about.

Leave a Reply

Your email address will not be published. Required fields are marked *