The Monica Talks Cyber Show

Demystifying and Defending Cyberwarfare

Monica Verma Season 2 Episode 4

In today’s episode Monica Verma talks with an industry leader and a cybersecurity researcher Keren Elazari on cyberwarfare, cybercrime, national security, critical infrastructure and more.

Looking to become an influential and effective security leader? Don't know where to start or how to go about it? Follow Monica Verma (LinkedIn) and Monica Talks Cyber (Youtube) for more content on cybersecurity, technology, leadership and innovation, and 10x your career. Subscribe to The 10x Circle newsletter at https://www.monicatalkscyber.com.

Monica Verma  0:00  
Hey folks, welcome to a brand new episode We Talk Cyber with Monica! Your one and only platform for real world stories of global experts in security, privacy and leadership, making a real impact every single day. If you want to hear the stories directly from the source and learn and understand; what does it take to build a personal success story? What are some of the key challenges within security, privacy and leadership you're facing? And what can we do about them, and more importantly, build a cybersecurity, break into leadership and take it a step further: then this podcast is the right place for you! So before we start the episode, make sure you subscribe to my YouTube channel, Monica Talks Cyber. You'll find all my videos, including my podcast videos. And if you like listening to podcasts, please tune in and subscribe to 'We Talk Cyber' on your favorite podcast app. Do it right away! So you don't miss any of these amazing stories and conversations. Shout out to today's sponsor: Simply Cyber. If you're interested in more technical security, then check them out. So let's hop right into the episode. This is We Talk Cyber with Monica.

Monica Verma  1:19  
So in today's episode, we'll be talking to an industry leader, a speaker and a researcher of the cybersecurity community. We'll be talking to Keren Elazari. On what is cyber warfare? Can we even define it? In which forms does it exist in a society? Today and maybe even tomorrow? What impact does it have on critical infrastructure and some real world examples? What role does something like basic cybersecurity hygiene play in defending against advanced threats? With the convergence that's happening between the physical, digital and biological worlds? How can we better defend ourselves against cyber criminals and nation state attackers? So if you want to hear all about cyber warfare, cyber crime, and more, let's meet our guest right away! This is We Talk Cyber with Monica. Hi, Keren, how are you doing? Welcome to the podcast show.

Keren Elazari  2:06  
Hi, Monica. Thanks for inviting me to your show. I'm happy to be a guest. And thank you for the lovely introduction. That's very, very sweet, and very kind of you, because I'm inspired by you and everything that you've been doing. So well done. And kudos to you. And thanks for inviting me to be a guest on your show.

Monica Verma  2:23  
Thank you. It's really lovely to have you on the show today. Karen, would you like to introduce yourself? Maybe a bit. I mean, everybody knows you. But just say a few words about yourself. Cool. Yeah.

Keren Elazari  2:32  
Although I've been at the cybersecurity industry for more than half my life -for more than 25 years actually. I still meet new people all the time. So I'm happy to meet your new viewers that I haven't met before. Nice to meet you. My name is Karen Irizarry. I'm a security researcher from Tel Aviv, Israel. And I started my path in the security world when I was a very young girl inspired by the movie 'hackers', and by the character of Angelina Jolie. Because when I saw that movie for the first time, I saw a group of young kids and a girl that looked a little bit like me; In the sense that I had short hair at the time. And I really connected with the message of the film. Those hackers as the 'curious anti heroes' making their own story on the cover in corporate corruption, showcasing to the world what's really possible with technology, I really connected with that idea. Since then -you know 25 years- I've spent working in different parts of the security industry. In the Israeli industry, of course, I served in the Israeli military, in the work with global international companies like AT&T, and PricewaterhouseCoopers, amongst many others. In the past five years, I'm an academic researcher, working with the Tel Aviv University Interdisciplinary Cyber Research Center, and I'm a guest faculty member with Singularity University in California.

Monica Verma  3:52  
Fantastic. So today we'll be talking about a topic that's probably not taught that very often. It's obviously reality,and in a way there are different aspects and nuances to it. So we'll try to pick your academic researcher brain today and hear a lot about the different aspects and so on when it comes to cyber warfare. So let's start with just defining the term cyber warfare; in which forms does it actually exist today in the society, if at all?

Keren Elazari  4:32  
Well, you know, going back to the historical roots of warfare -more than 200 years ago- it was Von Clausewitz, the German Prussian military strategists, that coined the term that: war is simply the continuation of politics in other means. Now, of course, his statement was much more complex than that, and he wrote entire books on the subject.But today, and I believe for the past 15/20 years, cyber warfare - through different aspects of it- has been the continuation of politics through other means. So for example, if we look at one of the most prominent stories with the cyber warfare perspective, we look at Stuxnet -the virus that was discovered 10 years ago- to have disrupted nuclear enrichment facilities in Iran. I think about Stuxnet as one of the very first clear examples of cyber warfare between nation states. Allegedly it was the US and Israel behind that virus. And I think about that virus as a means to an end. It was a means to prevent a nuclear enrichment, a nuclear armament program. So if the alternative to that weapon might have been covert missions, it might have been physical kinetic attacks, so bombing or some other form of way to disrupt that uranium enrichment facility. And the virus, the digital weapon 15,000 lines of code was the choice amongst many other alternatives that were available to the statesman and states women, I imagine that made the decision to use that. So Stuxnet is a really good example, I think, for this historical discussion of what is cyber warfare. There's a few other examples. Of course, cyber warfare is not always a virus or a piece of code that disrupts a physical infrastructure. It could also be cyber espionage, it could also be in the form of disrupting democratic election processes, for example, as a means of influencing what's happening in country around the world or anywhere around the world. So there's a lot of different ways that cyber warfare can play out. But if you want to really define it clearly, there are a few different academic ways to look at it. Clearly, I believe that it's something that happens between nation states, or state like organizations; and it's usually something that's quite strategic; it's something that's done as part of trying to really continue your politics in the world in another way. You want to maybe prevent a certain nation from having access to nuclear arms, or you want to influence the democratic process, the election process in the sort of the country. So it's rather strategic, it's very strategic. Now, it's more helpful maybe to contrast cyber war over to cybercrime, which is something that we all deal with on a daily basis. And cybercrime could be something that affects you, and may affect everybody. And it's usually done for very clear purposes to make money. In some cases, it's done to exert influence on an individual or a corporation. But it's usually not very strategic, it's much more tactical, it's much more day to day as it were. So that's my attempt to try and kind of define and outline these, you know, very complex definitions. And I can tell you, people have been writing their PhD dissertations about 'what is cyber warfare?' for the past 20 years, and it's still not something that's, you know, a clear consensus.

Monica Verma  8:05  
And then and rightly so, in a normal physical war, when it actually starts and where it actually ends, there is a clear demarcation. But when it comes to cyber warfare, or forms of it, it's very difficult to clearly pinpoint. Okay, now we have started this one, and now we've ended this one. And maybe there are continuations of a particular issue that was already there. So it's obviously very difficult. And I think you did a fantastic job in explaining this to the audience, to at least understand that there's a lot of political reasoning and strategic reasoning behind it, as opposed to when you're doing normal sort of cybercrime. The number one motivation is financial gain to random ransomware. And all these attacks that are happening, so that really distinguishes at least an understanding of what cyber warfare is, or could be. So since you mentioned the nation states and political agendas, and how strategic it is: what impact does it have a national security and in critical infrastructure and how can we defend ourselves against that? Because it's not anymore just talking about defending an organization or a company and putting in some security controls in place here. We're talking about a very different strategic level. We need to also have a different kind of thinking. So what are the challenges that you see and what do you recommend for that?

Keren Elazari  9:27  
Yeah, so certainly a lot of challenges certainly now at the age of COVID-19. priorities are also shifting. So one of the things now around the world is that hospitals, healthcare providers, and biomedical research and pharmaceutical research have become targets for particularly criminals. Yes, but also for nation state attackers; trying to get the upper hand if there's information about a vaccine; if there's new data that's being aggregated. We've actually seen that biomedical pharmaceutical research has now become targets also for nation state attackers. So what can we do about it? One of the most crucial aspects of this new age of cyber warfare that we're living in, is that the targets are not simply just military targets in conventional war. Where you typically have an army against an army or you might attack military targets, you'd go after the missile defense system, or maybe we'll go after an airport or something like this. When it comes to digital infrastructure, the most crucial infrastructure for any modern nation is usually the energy infrastructure, and nowadays, the health care infrastructure. So these are have become the new priorities to protect. And I am not going to say, you know, here's what we should all do. But there are certain countries, there are certain governments that have made this as a priority. A few years ago, 10, or 15, or 20 years ago, in certain places in the United States -the CISA agency- which recently saw a challenge to its leadership, because of the outgoing White House administration. In other parts of the world, there are other agencies. And it really differs with the amount of control that these security agencies have over what are essentially, civilian infrastructure is not there, like they're just defending military or national infrastructure. For you and me and for everybody who's listening, cyber warfare might take place on our computer or on our organizational network, because we have seen from different aspects from different attacks that have took place in the past years. That, for example, if we look at the NotPetya attack -which was originally between Russia and the Ukraine- it spread like wildfire. And it impacted a lot of civilian organizations and their networks. So you and I could become casualties, if you will, of this ongoing cyber warfare that's happening between two nation states that we might not have anything to do with! So what should we do? We have to really understand that protecting ourselves -protecting our networks, our computers- is not just about protecting ourself against crime. It's also about making sure that we don't become unwilling allies to somebody else's cyber warfare campaign when our computer is out of date; if it's insecure; if we download and install just any application that we see; or if we click on links that we don't know, yes, we might be putting ourselves at risk. But we also might be helping and abetting, you know, a rogue nation state that's trying to spread small organizational network. These are just a few points to think about. It's a little daunting, you know, this day and age, it's very different to what we used to talk about in the cybersecurity world. In fact, we didn't used to speak about cyber security at all, we used to speak about information security, and protecting protecting info protecting data, secrets, passwords, credit card numbers, databases. Today, we talk about cyber security, because that includes that physical aspect, that infrastructure aspect. In fact, Monica, do you know where the word cyber comes from?

Monica Verma  13:26  
I think it's kubernetes, isn't it? Or cybernetics?

Keren Elazari  13:29  
Yeah, that's right. That's one of the most fascinating things. I love the story. So cyber comes from 'cybernetics'. And it was a science invented or discipline and academic discipline, invented in the 50s, after World War Two, by an app Professor called Norbert Wiener, who was teaching it, I think, MIT in the United States. And when he thought about the Navy, bro, that's from Kubernetes, which means the steersman, the captain of the boat, the person who's in communication with the boat. So cybernetics is about control and communication between human beings and machines. And it's about so much more than just information, data or secrets. It really is about physical infrastructure, electricity, healthcare, transportation, all of these aspects are now part of this much grander world that we call cybersecurity. It's not just a trend that we're talking about cyber and not about just information. 

Monica Verma  14:27  
Absolutely. And I think there are two really good points that he raised here and I want to touch upon them. The one thing that you're saying is we're talking about cybersecurity. We're talking about more than information security, and that's absolutely correct. And we're talking about more than information because now, we're actually living in a world where physical, digital and biological are merging into each other with even more blurry lines than before. And talking about critical infrastructure and hospitals, I mean, I don't think it's far in the future when we will see some kind of attack. Dual heartbeat monitors or actually disrupting the hospital facilities or treatments due to cyberattacks. I mean, we saw an example recently, last year as well, although the ransomware attack that happened in Germany. It was a homicide investigation was conducted. And it was found out later that the ransomware was not the reason why a patient died. But it's not a non-reality. I mean, it's not just fictional, it can really very much happen. That's one aspect. And the other thing that you mentioned was regarding this cyber warfare and the cyber attack and and what we as individuals need to do. And I feel that that's really an important point. Because not just cyber warfare, but I believe, also with cyber attacks in general. There's a lot of this misconception that, whoa, I'm not going to be the target or I'm not the target. This is not going to happen to me, whether it's an individual level or the organizational level, I mean, look at even the small mid size businesses that are like, "Yeah, but what I have, what do I have to lose? I mean, why are the attackers are going to attack me?", and so on... And I feel like I just gave a talk a couple of weeks ago, where I mentioned, everybody's a potential target, either directly or indirectly, or a collateral, or a step into somebody else's network. So I mean, there is such an importance and need, and I know that you say that, yeah, it's daunting. It is, but I believe, talking about it, and then explaining that is really important and key here, so I really love those points that you just mentioned.

Keren Elazari  16:38  
Thanks. And you know, one of the things that I spend a lot of time on as a researcher is looking at what are the current capabilities of attackers of different nation state organizations, and what cyber criminals are doing. And certainly we're seeing right now that cyber criminals are also targeting healthcare providers in the United States. Just recently, Rioch, which is a very scary brand of ransomware hit an entire chain of hospitals called UHF. And in other parts of the world, we've dealt with, we've seen ransomware attacks, even onecry in the UK, disrupted the NHS, the national health care services in the UK. And that was a few years ago. So we are certainly seeing attacks that are spreading and that are specifically impacting health care and other things that we really rely on. Like you said, the digital and the biological, and the physical are all converging right now. It's absolutely what's happening. So I did them. I did want to point out though, although it can seem scary. As security professionals, I think a big part of what we need to do is learn from what the bad guys are doing are always repeat this, we can learn so much from hackers from the malicious hackers and from the friendly hackers. And I spent a lot of time learning and looking at what are the tactics? What are the techniques? What are the new motivations for malicious hackers, and you talked about everybody being a potential target. It's absolutely remarkable to see how criminals adapted to COVID-19. And how they have come up with new monetization models. In fact, even zoom credentials that have now been stolen and traded in underground coronal markets. So criminals are not kind of sitting at home, waiting for the COVID crisis to blow over. They're thinking about how can we make the most money from the digital assets that we can hack? How can we use this crisis to get our hands on more digital assets. And digital assets could mean access to a computer or an organizational network, or credentials, keys, passwords, network shares, databases, there's all sorts of digital assets, and they can all be worth something to someone, even, even for people or those who think they're not interesting, or they might not be a target. criminals have become incredibly clever at monetizing this. And they can hack edge, they can package you know, a whole group of credential stuffing stole or access mechanisms that they stole, and then they can sell it to another criminal or even to a nation state that will find good use for that. So the strategy kind of thinking -well, I'm not interesting, or I might not be a target- that's really, I believe, not very helpful. It's not really up to date with the reality of what's possible and what's happening right now.

Monica Verma  19:30  
And then there's where lies the balance in the sense that yes, we don't have to scare people and scream and say, "Oh, the world is on fire", because that's also not a good way to go forward. But at the same time, it's really important talk about probable potential things that are happening and are very realistic and will become a reality more and more as we go forward with the convergence whats happening. So talking about that going forward, right? I want to ask you, because we have seen a move in doing this now for decades with security started with information security, as I mentioned, and now we're in cybersecurity. I mean, there's a lot of convergence that's happening. Over these years, I still feel like we have not gotten good at the basic cyber security, hygiene. And then obviously, the convergence and automation and AI and machine learning and all these technologies don't make it any easy. With cloud and even more complexities, bigger attack surface; how do we go forward? What predictions do you have for what we are going to see in the future? And for most, most importantly, how we deal with the the issue that we have not covered the basic cyber hygiene? And then we are dealing with more more complex things coming forward.

Keren Elazari  20:48  
So I think I like to look at this challenging time that we are experiencing right now as a chance, as an opportunity, as a time for change. And as we all talk about public hygiene right now, we may think social distancing, everybody's really gotten into the habit, or most people have gotten that into their daily lives right now. Because it's important because it's clear, and it has an important impact on our daily lives. Now's a great opportunity to extend that conversation, also to cyber hygiene, and make cyber hygiene sexy again! Although it never was sexy to begin with... But let's make it, let's make it popular again. And it's common to talk in the context of cyber hygiene, it's common to talk about things like updating your operating system, not using easy to guess, passwords and recycling your passwords. I think right now, with COVID, people are also sharing their devices; they're at home; and they might be working from home; they might be studying from home; and their children are at home, or their spouses are at home. So we've all started to actually share a lot more than we used to. So now is a perfect time to talk about cyber hygiene also, in the sense of each person should have access to their own device, ideally, or at least their own username and password on that device. And within the you know, digital services that we use -whether it's on the cloud, or you know, in the computer on the endpoint- let's think about differentiating. Okay, this is some of my work stuff, this is my professional stuff, try and keep some separation  that seems almost impossible these days. But I think that there is an opportunity here. And one thing I'm extremely hopeful about, and I'm really hopeful that maybe through COVID, we can start changing is moving away from passwords. And I think a lot of organizations have really had to kind of take a really good look at their authentication strategy, when everybody started working from home. And the organizations deployed, you know, cloud services that they would never have done, or maybe would have done in like a three year long change management and processing, now, you know, jump into the cloud immediately. It's a really good time to consider, okay, what is my authentication strategy? What is my approach? Am I requiring the same password or maybe multi factor authentication? Or maybe it's a VPN? What are my requirements, and I really am hopeful that we can see a future with less passwords or no passwords. I think passwords belong in our past. I've spoken about this many, many places, I keep repeating it. Passwords don't represent our current need for strong digital authentication. They're really, really outdated. And maybe there's a chance to come out of this crisis with something better. I'm hopeful about that.

Monica Verma  23:48  
I share your hope. I really hope that happens. Absolutely. We talked a little bit about obviously, we're talking about cyber warfare, to talk about critical infrastructure. We talk about basic cyber hygiene, and all the basic cyber hygiene is absolutely critical and must be in place. But it's it's not enough. When we're talking about the evolving cyber threat landscape, when we're talking about cyber warfare, cyber attacks, the way they're changing; what are your recommendations to defend and protect critical infrastructure?

Keren Elazari  24:20  
Well, that's a very big question. Not one that we can, you know, necessarily cover in one podcast, and I'm not in a position to tell each country or each nation state what to do. But one of the things I think security strategy needs to start with -and that's true, whether your corporate or a nation state is threat modeling- is coming up with the model of what are our threats, what are the particular issues that we have? What are our crown jewels, what are our most important services? Where are we vulnerable? Really creating a very good picture of what are the potential threats? Who are the organizations that might be targeting us? What are their capabilities, and then tailoring the security approach based on that threat model. Because you know, if you are, for example, if you are a pharmaceutical company, your threat model is very specific to maybe protecting your IP and your research, but also protecting your fabrication facilities where you make your medications and the processes make sure that nothing is introduced into the formula that the formula is not disrupted in any way. Whereas where if you're a financial institution, you know, you have very different mindset, you really have to worry much more about customer data, and the security of day to day transactions and perhaps millions of transactions each day. So the threat model is different. So my recommendation is to really start with this primary thing of a threat model.

Monica Verma  25:56  
That's critical point, right? It's not necessary that you have to have one solution as a tool. Instead, learn from what other companies and countries are doing, see what your peers are doing, what works for someone who's similar to you and similar situation, and then adapt that to your own tailor to your needs. Basically, that makes total sense. And you're right, I mean, it's obviously a very big topic that we cannot cover in one podcast. So if I may just ask you, just to share your overall key message with the audience today, based on our conversations that you've had.

Keren Elazari  26:29  
Cyber Security is not just about protecting secrets, it's about protecting our way of life. Especially with COVID-19. We rely on trustworthy, connected technologies. And having those technologies in place means that we all have to be a part of the solution. We all have to be a part of the digital immune system; that means doing our part, we also have to look at the digital hygiene of our computers, our networks and our digital services. Because we're all in this together. And cybersecurity is everybody's problem. But also everybody can solve it. Everybody can be a part of the solution. That's my message to everyone today.

Monica Verma  27:14  
Fantastic and lovely. I think I really appreciate and support. It's everybody's responsibility, and everybody can be a part of the solution. Thank you for coming on the show today Keren, it was lovely to talk to you. My pleasure. Thanks for having me. Stay safe everyone. So everyone, that was today's episode, We Talk Cyber with Monica. We talked a lot about cyber warfare, critical infrastructure, resilience, basic cyber hygiene, and basically also what the term cyber security means. So I hope you really enjoyed the conversations today. I'll be back with more amazing episodes, fantastic guests and fantastic conversations. So continue tuning in, take care and stay safe.