Cyber security: Attackers Are the Best Form of Defense

Would you call yourself a hacker?

I’m proud to be a hacker. Strictly speaking, though, I’m a former hacker. The last two years I haven’t spent sitting in front of a computer, but instead have been traveling around the world as an unofficial ambassador for the “white hat” hacker community. This fellowship of good-minded hackers does the real work day in and day out of detecting new vulnerabilities in IT infrastructures and finding ways to fix them. Today I would describe myself more as a security researcher.

Many people think of criminals when they hear the word “hacker.”

The word doesn’t have negative connotations to me. Hackers, first and foremost, are very creative individuals. They stray from beaten paths and employ unconventional thought patterns. SIX, for example, hosted its fourth hackathon in March 2018. Nobody thinks that SIX invites crooks to the event. SIX invites inspired, unorthodox thinkers who don’t break the law, but at most violate established rules to create something new.

Of course there are also criminals who do misuse their hacking talents. Very young hackers from impoverished economic backgrounds particularly are at risk of being forced by necessity or coercion into becoming criminals. An example from Venezuela illustrates that this sometimes can also come to a good end. A student there was caught hacking into a school computer. He wanted to sell test answers for cash. After his arrest, he was given a choice between jail or a job as the school’s IT security adviser. He chose the latter option.

Are your public appearances and articles making an impact? Is the mainstream perception of hackers changing?

My 2014 TED talk has since reached more than two million viewers. I hope that it has contributed to altering the image of hackers, because a change has definitely taken place. An underground convention like DEF CON in Las Vegas has since turned into an international, industry-spanning, intergenerational happening. And, for instance, the Girl Scouts of the USA, the epitome of virtuousness, recently introduced a merit badge for hacking – for good reason, because the need for enterprise cyber security specialists will further increase in the future.

Does every enterprise need a hacker on the team?

I recommend it [she laughs]. Over the last three to four years, more and more companies – even those known as being conservative – have recognized the benefits of hackers. But there are many different ways to work together with hackers. I already mentioned hackathons, where the aim isn’t for hackers to expose security vulnerabilities, but to identify new business ideas. But companies are also initiating “bug bounty” programs that reward hackers who discover security loopholes in their systems. Others are actually even hiring hackers as outside or internal consultants. Or once a year they assemble a “red team” of hackers, fictitious cyber assailants with an unobstructed view from outside.

Those hackers are commissioned to find security vulnerabilities. Asked a bit provocatively, don’t criminal hackers make a contribution as well? They, too, expose shortcomings after all.

There are whistleblower hackers or hacktivists who denounce injustices like investigative journalists do, but break the law in the process. I think, though, that you mean hackers with pecuniary or destructive intentions. Come to think of it, even that can result in something good. Think of ransomware that encrypts business-critical data and unblocks it only upon payment of the ransom. It’s a big problem. On the other hand, the latest wave of cyber blackmail attempts has tremendously raised awareness of cyber security. What developers of ransomware do is still wrong, but we can learn something from it.

Is part of this learning process realizing that we can’t delegate cyber security to technology alone?

There are fantastic new technologies like cognitive intelligence that SIX, for example, is rightly using in its security operations center. But algorithms alone won’t protect us. Even the best firewall is worthless if we, as users, act negligently. My research has demonstrated that personal actions now and again have facilitated some of the biggest cyberattacks. Every one of us makes dozens of security decisions every day: We open the door without knowing who’s on the other side, we use the same password for multiple websites, we click on links with no clue where they might lead, or we connect a private device to our workplace’s WLAN. We can use technology to automate those decisions and thus minimize human intervention, but human error will still occur. We therefore need to instill a security awareness, to become or stay a little paranoid.

You live in Tel Aviv, where you grew up. Do Israeli citizens have a heightened security awareness given the political situation?

The reality in which we in Israel live has brought forth astounding innovations. Pressure makes diamonds, after all. Time and again we have had to devise quick, and thus creative, security solutions for sudden threats. Perhaps originally envisaged as temporary solutions, many of them ended up standing the test of time. My perception of the Swiss, for example, is completely different. The stable environment that Switzerland has enjoyed for decades has enabled the Swiss to this day to always be prepared for any eventuality. Those two traits – creativity and constant preparedness – can both be helpful in the battle against cyberattacks.

Let’s look a little into the future. The Internet of Things integrating the physical world with the cyberworld is now becoming a reality. And biohackers are already working on using technology to enhance the human body.

That’s right, and that creates an unfathomably large target for attacks. Compounding the problem is that innovations in biohacking right now are not coming from companies or universities. It is flourishing in a do-it-yourself community that is experimenting with implanted chips and corresponding software. But we don’t have to go to that extreme to become concerned. Think of heart pacemakers or insulin pumps. Patients with pacemakers or insulin pumps already regularly have to run software updates today. So hacking computers was only just the beginning.