CYBER WEEK 2018
This year the annual Tel Aviv cybersecurity fair hosted over 9,000 specialists, corporate representatives, entrepreneurs, hackers and researchers, who came from the four corners of the Earth to discuss the challenges and opportunities of cybersecurity, which constitutes a key area for most industries today in an environment characterized by the abbreviation VUCA – Volatile, Uncertain, Complex and Ambiguous. Against a global background where the number of cyberattacks is increasing exponentially, leading sometimes to the total paralysis of entire fields of business, the attendees shared their experiences of and views on the challenges posed by and the opportunities arising from cybersecurity in the coming years. The common aim of all those present at Tel Aviv University was to learn and draw inspiration from the vibrant Israeli security and cybersecurity ecosystem. While the summary below is not exhaustive, we describe here ten cybersecurity challenges that we took away from the event.
Challenge 1: Cybersecurity is not a technological problem
There is certainly an array of technological solutions for dealing with cyber-risks, but problems relating to cybersecurity are never in themselves technological. The political, economic, sociological, psychological, business and ethical dimensions are all crucial for understanding the challenges a rising from cyber-risks. What motivates cyber-criminals, their attack behavior, and the underlying political issues are just a few examples of what we need to understand. If you want to anticipate cybersecurity risks that might cause chaos in a city, an industry or a business field – as was the case with the WannaCry ransomware attack in 2017 that affected over 300,000 computers worldwide, entailing losses amounting to €4 billion – then you need to take an interdisciplinary approach in your organisation. The Interdisciplinary Center of Research in Cybersecurity (IRCR) at Tel Aviv University was set up in 2014. Hosting some 250 researchers specializing in the hard sciences – computer science, engineering, mathematics, life sciences – and the 'softer' sciences – psychology, sociology, economics – the ICRC is a good example of this interdisciplinary type of approach, which should inspire companies to identify and anticipate cyber risks that are by nature unpredictable. In addition, in the cyber-world each new generation of technologies lasts on average for just one year – a very short cycle, which makes it difficult to predict the cyber-risks of the future.
Challenge 2: The concept of cybersecurity is hard to define
the overall cost of cyber-criminality in 2018
Since virtually all companies began to go digital, the number of cyberattacks has been increasing exponentially. The cost to the global economy of cyber-criminality is estimated at $500 billion in 2018, with an average cost of close to $4 million per cyberattack. Such attacks make media headlines and are one of the main headaches currently faced by corporate boards, but what exactly is cybersecurity? ICRC Director Professor Isaac Ben Israel, offered the audience his definition of what it means: "A cyber threat is anything and everything relating to 'the dark side of IT'", pointing out that the general public tend to talk about cybersecurity without really understanding the ins and outs of the subject. Basically, cybersecurity covers five areas: fraud, both internal and external; IT systems and their resilience; data security; third-party risks; and threat intelligence – i.e. detecting threats from external sources by gathering open data, data from online communities and from the 'dark web', plus from the abusive and/or malicious use of emerging technologies such as Artificial Intelligence, Blockchain, etc.
Challenge 3: Cybersecurity is an Open Innovation challenge
Open Innovation means collaboration. Collaboration between companies and government and, more widely, collaboration between public and private players. The Israeli cybersecurity ecosystem is a three-way system including the army, academe and industry. The boundaries between these three areas are rather blurred; there is really a continuum between the three, which enables cyber specialists to be trained and cyber technologies to be developed. The army trains specialists in the field of security in general and more specific cybersecurity, then the university polishes up their academic capabilities while they work on approved army-related projects. Professor BenIsrael estimates that 1200 new startups are coming into the cybersecurity field in Israel every year. A thousand of those will fail and most of the remaining 200 will not last the following year either. This market-led selection is intentional, enabling a wide range of ideas to come through. A number of bilateral round-table discussions taking place during Cyber Week gave us the opportunity to observe some noteworthy brand names from a number of countries, including the United States, Germany, Japan, India, Singapore andFrance. During the France-Israel discussion, entitled 'What French companies are looking for in the Israel Cyber arena', representatives of Airbus, Orange, Renault-Nissan, Aster, Trusted Labs and L'Atelier BNP Paribas shared their insights on this subject. This writer shared his own view of the speed at which innovation is coming from researcher-entrepreneurs, especially in the field of cybersecurity. The basic aim is to support business leaders in the search for solutions to business and/or technological challenges by getting high-flying researcher-entrepreneurs to hack solutions to key challenges when the existing market or relevant startups are not able to provide the answers.
Challenge 4: Privacy & Security by design
Privacy and confidentiality issues were also on the Cyber Week agenda: data confidentiality must be taken into account at the design stage of any product or service that is being developed. There is thus a need to train designers in data security and confidentiality issues. Some researchers have also pointed out that technology people either do not understand, or do not want to understand, privacy issues, or that they confuse privacy with cybersecurity. It is absolutely essential to take the need for privacy into account, given that nowadays we often use services and products designed abroad. Providing solutions and services that incorporate 'Privacy & Security by design' now constitutes a huge challenge in an evolving regulatory context coupled with galloping cyber-crime. On the data front, we noted two key points: the first concerns the need for companies first of all to use the data they have before looking to draw on external data. Companies today have huge amounts of data available, which they need to sort, process and use as a first step before moving to use external data such as unstructured data drawn from the social networks. The second has to do with the Zero Knowledge Proof (ZKP) method, an emerging approach for which there are a number of promising applications. The way this works is that one party (which may be a computer system) proves his/her/its knowledge of a certain value and the other party is able to validate that proof, without any information being conveyed between them apart from the fact that the prover knows the value. The protocol enables proof of the veracity of data coming from a number of players in a given ecosystem to be provided to all the players in that ecosystem without giving anyone the actual data. With Blockchain-based transactions, transaction details are visible to the other parties in the network. By contrast, where a transaction is based on the ZKP protocol, the players know only that a valid transaction has taken place, while information on the identity of the sender, the receiver, the asset in question and the quantity involved all remain anonymous. The ZKP protocol was developed in 1985 by three researchers at the Massachusetts Institute of Technology (MIT): Professors Shafi Goldwasser (an Israeli researcher who also attended Cyber Week), Silvio Micali and Charles Rackoff.
Challenge 5: Companies need 'friendly hackers'
and 'friendly hacker'
I think we can beat cyber-criminals at their own game if we can think like friendly hacker
"I think we can beat cyber-criminals at their own game if we can think like friendly hackers", Keren Elazari, a cybersecurity researcher and 'friendly hacker', told conference attendees. Given the level of sophistication of cyberattacks today, the huge underlying economic aspects at stake and the long-term nature of cyber-risks, companies have now begun to understand the strategic dimension of cybersecurity. Technology alone cannot solve the challenges of cybersecurity. Making huge investments in technological solutions without training your staff efficiently and making your customer and partner ecosystem aware of the issues is an approach that is doomed to fail. Companies need more than ever to cooperate and recruit friendly hackers – 'white-hat hackers' in the jargon. These people can play a key role in promoting cyber literacy and anticipating or simulating cyber-risk scenarios. So we ought to change the way we do things, moving from a defensive to a more attacking approach to cyberattacks. During the Bsides TLV event – a day during Cyber Week where the focus was placed on the hacker community – a former representative of the US Federal Trade Commission stressed the important role which hackers can play to help governments make the right decisions. The 'Tech Interpreter' role of hackers has also evolved: hackers now need to broaden their research and make it understandable to firms, governments and citizens. A key example given was the decision of the USDepartment of Defense in 2016 to launch the Bug Bounty program – a competition designed to mobilise over a thousand 'white-hat hackers' to identify and solve network security problems. Indeed, a wider trend identified during Cyber Week was that an increasing number of firms are now starting to bring in outsiders – white-hat hackers, security specialists and red teams(external security teams whose objective is to assess a company's overall security level by putting its various assets to the test) – to hack and solve their security problems. Keren Elazari underlined that companies, especiallyEuropean banks, have in recent years learned to benefit from an outsider's viewpoint by sponsoring programmes and conferences which attract friendly hackers, who then become potential recruits for the firm's IT and Security department.
Challenge 6: Crypto-crime, the dark side of the Blockchain
Aside from all the experiments currently taking place in uses of the Blockchain and the massive investment being poured in, it is clear that the Blockchain's reputation is suffering, due in part to its association in the public's mind with the emergence of a new type of cyberattack: crypto-crime. This is a new typeof cyberattack, which can take a variety of forms: ransomware, whereby for example crypto-currency holders can be held to ransom via traditional phishing techniques; scams linked to the raising of funds through Initial Coin Offerings (ICOs); and Cryptojacking, or Coinmining, a process whereby a cryptocurrency miner uses another's computer to mine coins without his/her consent. Anonymity, speculation, price manipulation and increasing demand are all aspects of cryptocurrencies that cybercriminals seek to exploit. Cryptojacking could also become a weapon for some governments to get around international sanctions, as with the group of North Korean criminals who stand accused of taking over 4,000 bitcoins – the equivalent of $5 million – fromSouth Korean citizens via a cyberattack on the crypto-currency market platform Youbit. Against a background of general mistrust, experts at CyberWeek stressed the need to draw up outlines for regulation. There are alsoBlockchain-related topics which the academic world could address, such as the issue of trust in Blockchain applications, relevant adaptations to current regulation, and business models.
Challenge 7: Behavioral analysis an antidote to bot-generated fraud attacks
When you look at the customer authentication process, there are currently three options: the one we know best, typically a password; one you can access, for example from a token or via an SMS; and one that is integral to your person (biometrics). Biometrics can take various forms: fingerprints or face, voice and palm vein recognition. Behavioral biometrics is based on to the way users do things: the way you hold your device, the way you flip through the pages on your smartphone or the way you write. This technology is essentially used for the authentication process and for malware detection. Another case study presented during Cyber Week was about the detection of attacks from 'emulators', i.e. software that simulates physical devices that criminals can use for their own ends. Fraudsters can for instance launch a number of emulators on the same mobile app and use the stolen information to hack into bank accounts. Behavioral biometrics can intervene where emulators fail: the ability to simulate man-machine physical interaction through machine learning techniques means that human behavior can be distinguished from that of a bot. We should note that that 40 to 60% of all financial institutions' web traffic is generated by bots (aggregators, scrapers and crawlers), hence the need to have solutions available to detect this kind of automated fraud. By combining thousands of physiological, cognitive and behavioral parameters, the use of behavioral biometrics also means that unique user profiles can be created, thus making the task of a fraudster more difficult.
Challenge 8: Forget data theft, say hello to the Influence Wars
The goal of a traditional cyberattack is usually to hijack data, as was the case with the Adidas group in late June. Adidas announced that certain data belonging to customers who had bought from the Adidas.com/US site had been hacked. Data theft is of course by far the main reason for cyberattacks. What is less common but is nevertheless a weak signal to keep track of, is the war of influence whose aim is to undermine public opinion and sabotage the democratic process. One example of this type of cyberattack might be when, for instance, during the Eurovision Song contest a Distributed Denial of Service (DDoS) attack takes over control of the sound or encrypts the image when a singer is performing, which can have psychological and economic consequences for countries and their citizens. One might also imagine the same kind of scenario during a World Cup football match. Physical security is of course vital during a sports competition in a stadium but phishing-type attacks and cyberattacks could for example encrypt television broadcasts or transmissions from video streaming sites which are being followed by tens of millions of TV viewers. Moreover, the social networks have become fertile ground for government agencies wishing to indulge in such wars of influence.
Challenge 9: Cybersecurity is a massive challenge
Cybersecurity specialists believe that this will continue to be a challenge for a decade to come. The underlying question is… do we have enough time? Researchers at Cyber Week agreed that, given the constant evolution of cyber-threats, we need to continually learn from our mistakes and analyse what is happening. The example given by speakers was the Video AssistantReferee system, used for the first time during the FIFA World Cup in Russia. The idea is to help or challenge referees' intuitions when they take decisions. We can see from the example that cybersecurity is not necessarily an exact science and that we are moving towards 'augmented' cyber-analysts. The time-scale for addressing cyber-challenges is a decade: three steps are needed to reach a mature phase in cybersecurity, what the experts call 'cyber-readiness': first, Catch up; second, Align (with the major market trends);and third, Disrupt (creating layers of security for one’s customers and essentially becoming a Cybertech Company). Currently the digital giants from the US, Europe and Asia cannot yet claim to be Cybertech Companies. The ambition of becoming a Cybertech Company is gaining ground: a number of manufacturing companies and financial institutions are now beginning to position themselves so that they can develop 'secure by design' solutions, in collaboration with cybersecurity experts from the Israeli ecosystem, where one of the main characteristics is becoming a cybersecurity hub, taking an approach that is both defensive and offensive.
Challenge 10: The challenge of education
"What are we doing with our people?" This was the question posed by Jayson Street, a white-hat hacker and ambassador for DEFCON (Defense ReadinessCondition – an alert state used by the United States Armed Forces) who spoke at the Bsides TLV conference, which brought together over a thousand friendly hackers from the Israeli ecosystem. His proposal can be summed up in one word: education."Start by educating users and making them take responsibility", underlined Jayson Street. Training users – staff, customers, partners – is vital, given that people are known to be the weakest link in any organization. Several cybersecurity experts and senior Israeli army officers stressed the need to educate citizens about cyber risks from a very early age. Israel has six research centres specializing in cybersecurity, combining basic and applied research via partnerships with manufacturing companies and financial institutions. The country is a hotspot in the 'cyber' field and has succeeded in transforming the approach to cybersecurity from 'risk-driven' to 'business-driven'. The Israeli ecosystem numbers more than 420 security companies, fifty multinational company R&D centers (some of which are centers specializing in cybersecurity), financed by over $815 million raised byIsraeli Venture Capital cybersecurity firms, boasting exports of security solutions with a total value of $3.8 billion in 2017.
Given all these challenges, we can get some kind of grip on the size of the phenomenon and understand that 'cybersecurity' covers a whole family of risks that must be tackled holistically. The first lesson from Cyber Week is that cybersecurity is a concept that is hard to define. It cannot be limited to a techno-deterministic approach to be dealt with by company IT or Security departments alone. The second lesson is that it is difficult to predict future cyberattacks or formulate scenarios, because threats develop very fast and generations of cyber technology rapidly become obsolete. Lesson three is that no company can claim to be the 'best in class' when it comes to cybersecurity or to be a source of inspiration for others: one reason is the increasing number, frequency and sophistication of the threats, plus the very short lifecycles of technology security solutions. One aspect limiting the level of sophistication of cyber-threats is that lazy hackers often use existing elements, old vulnerabilities to generate new malware, for example. Attendees at Cyber Week will remember in particular the resilience required and the trust you need to place in people who share information, without divulging their sources, in order to identify hackers, as happened when there was an attack on Deutsche Telekom's routers that caused telecom services to crash for 1.2 million Deutsche Telekom private users , depriving them of access to the Internet and telephone services. Lesson four is about skills: companies need to recruit a wide range of talented people in order to address cybersecurity challenges. Among the people needed are friendly, 'white-hat' hackers. Welcome to the age of interdisciplinary cybersecurity! The fifth lesson relates to the dilemma between financial institutions opening up – mainly due to new regulatory requirements and the digitalisation of processes (PSD2 APIs, Open Banking) –and the need to secure their architecture and assets, especially their customers' data. The final lesson comes straight from the Israeli cybersecurity ecosystem: cross-fertilisation between industry, the army and the academic world, a truly staggering cybersecurity startup ecosystem, and concentration of high-flying researchers and hackers. Basically, Israeli cybersecurity amounts to a 'Cybertech Nation', a source of potential inspiration for any firm aiming to become a 'Cybertech Company'. Israel has been successful in its drive to transform cybersecurity from a risk-driven approach to a business-oriented approach. More widely, the ultimate challenge for companies will be, in addition to securing their assets, to innovate in the area of cybersecurity and come to see cybersecurity not just as a risk, but as a business in its own right, serving its overall business activities and its wider customer, partner – and even competitor – ecosystem. Welcome to the age of 'Cyber as a Business Service'.