By Yaakov Lappin, JNS
Israeli cyber-security expert Menny Barzilay warns that for the first time in history, crime is being led by the smartest people in the world: “Prevention is not enough; we have to be able to detect attacks that we did not stop and respond effectively.”
The growing risks of cyber attacks faced by all organizations and individuals around the world is a reflection of the fact that “for the first time in history, crime is being led by the smartest people in the world—smart and creative people,” a leading Israeli cyber-security expert has warned.
Menny Barzilay, chief technology officer of the Blavatnik Interdisciplinary Cyber Research Center at Tel Aviv University and the co-founder of several companies, previously served as the chief information security officer in the intelligence services of the Israeli Defense Forces. He has also held several tech-related managerial positions in the largest Israeli banking group.
Speaking during a webinar held in recent weeks, Barzilay said it was vital to recognize that “everything is hackable; given enough time and money, nothing is safe. That does not mean we cannot be secure in today’s world. But the first step is to acknowledge that everything is hackable. Prevention is not enough. We have to be able to prevent most of the attacks, and also detect those that we did not stop and respond effectively,” he said. “If we know how to do those three things, we are considered to be secure in today’s world.”
The rule of thumb, he said, is that cyber security will become increasingly important with time, and that with change come new opportunities and new threats—all part of a single inevitable two-sided coin.
As new technology such as autonomous vehicles, robotics and smart cities become available, new cyber-security solutions will also be necessary. “The challenge is how to stay ahead of the problem,” said Barzilay, comparing obstacles to being a hockey player that goes “where the puck is going to be, not where it is now.”
In an age where there are so many cyber-security startups, “it seems like we’re doing a great job, but at the same time, companies are getting hacked, including big companies. … We have to ask ourselves: Is there a way to be secure in today’s world? If those companies are being hacked, what should we do?”
In the coming future, it is clear that “more of our data” is going to be stolen,” and that cyber incidents will become more prevalent, he cautioned.
There are multiple reasons for this trend, including the way the Internet is designed, which creates an inherent asymmetry in cyberspace.
Due to this design, it is easier to be a hacker than a cyber defender—much like it is easier to be a terrorist than a government. “If you’re an attacker, you only have to succeed once. If you’re a security person, you have to succeed 100 percent of the time,” said Barzilay.
“Attackers can attack whenever they want. Security has to be 24-7,” he explained. “Attacking is very cheap. Security is very costly. The hackers have no rules. Security has so many rules and regulations. It’s like trying to guard a balloon with bare hands and the hackers have a pin, only needing to get it through the defender’s fingers once to blow up the balloon.”
‘The darkest, most terrible things’
Cyber attacks generated an estimated $1.5 trillion per year, making this form of crime is extremely lucrative, and creating incentives for criminal organizations to form around cyber attacks. Some of these organizations even have their versions of CEOs and CTOs, with salaries and bonuses.
“Some viruses even have phone numbers for customer support. This is a business; this is a startup,” said Barzilay.
Addressing the specific threat of ransomware, Barzilay said that such attacks favor bitcoin because it greatly resembles “cash money that you can send on the Internet. Criminals have always preferred cash money; you never hear of criminals saying, ‘transfer funds to my account’ … and bitcoin solved the biggest problems criminals had, which is how to monetize cash money on the Internet without being caught.”
Barzilay also called attention to the “Darknet,” an online zone he defined as a “place on the Internet where people can do whatever they want anonymously. It is a marketplace to buy drugs, guns, identifies or anything else,” he said. He described it as a place where “the darkest most terrible things” occur, such as pedophilic activity.
The Darknet also created crime “as a service,” where hackers can be hired and people employed to “help sell you stolen information” or buy ransomware instead of having to develop it.
Stolen PayPal account details, fake passports and fake driver’s licenses are all on sale. Barzilay gave a glimpse into the prices in the Darknet: A stolen credit card is on sale there for between $1.5 to $3; a stolen ID is available for the same price; and a person’s entire life’s digital profile, including email and Social Security details, is on sale for between $5 to $20.
Stolen bank-account details are significantly more expensive, “depending on the bank and how much money is in the account,” he added.
“What if someone wants to buy everything—all of the above together? That costs between $1.5 to $3. First, they purchase the stolen credit card and then use it to buy everything else,” he said.
“This is the problem,” he emphasized. “Our brains are programmed to deal with problems like lions leaping at us. We are not very good at dealing with threats on cyberspace. We are good with identifying and creating a sense of urgency with threats that can be identified through our senses. If you hear, see, touch, smell or taste the threat, your brain is willing to create a sense of urgency.
“But the threat on cyber space; we cannot touch,” he continued. “Right now, at this moment, there are hundreds of cyber-attack units working for governments around the world, engaged in attacking the U.S., Israel and other countries.”
In fact, he pointed out, some people’s accounts were probably under attack while he spoke during the webinar, and yet, “the brain isn’t creating a sense of urgency” about it.
Caption: Menny Barzilay, chief technology officer of the Blavatnik Interdisciplinary Cyber Research Center at Tel Aviv University.