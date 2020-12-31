One of Israel’s biggest information security experts couldn’t believe it had happened to him. A young hacker by the name of Moran Cerf managed to crack his password, break into his computer and gain access to his most secret, private information. Everything was revealed with frightening clarity: his bank and credit card information, his emails. The message was clear: With a little determination, daring and perhaps talent as well, it’s possible to hack anyone and anything, from private individuals to large, well-secured corporations.

That was 20 years ago, but Cerf, now a neuroscientist and business professor at the Kellogg School of Management and the neuroscience program at Northwestern University in Chicago, believes nothing has changed: “It’s impossible to seal any organization completely and hermetically,” he says in a telephone interview with TheMarker. "Both the Israel Electric Corporation and the Shin Bet security service are vulnerable – if someone wants to break into them, they’re likely to succeed. It could be expensive or difficult, but it’s always possible."

In the first week of December – when hackers broke into the computer network of Israel’s Shirbit insurance company, stole large amounts of data from the company’s servers and demanded millions in ransom – Cerf was far from Israel. Since then, Israel has been hit by a string of other hacks, most prominently the Pay2Key attack – attributed to Iranian cybercriminals – which hit at least 80 Israeli companies and has claimed to have also targeted government ministries and even a military defense firm.

Cerf, who divides his time between Chicago, where he teaches, and New York, where his partner lives, hasn’t lived in Israel for 15 years. Nevertheless, when we requested an interview he immediately understood what it was about. After all, Cerf was one of Israel’s first hackers, and probably one of the most prominent.

In the early 2000s, when cybersecurity was still a young field, Cerf was already a professional hacker. Companies hired him to identify the weaknesses in their security systems. In one case, a bank’s board of directors even asked Cerf and his friends to break into the bank physically. “We entered and said, ‘This is a robbery,’ or something like that,” recalls Cerf. “Then we demanded they open the customer safety deposit boxes, and that’s what the teller did, because those were her instructions from her superiors. There wasn’t much money in the boxes, there were more items with sentimental value. Of course we returned them.”

The daring robbers treated their victims very well. One held a customer’s baby and another, who made sure to film the robbery, exchanged phone numbers with the teller. “That wasn’t the only time we broke into a bank,” Cerf says. “Breaking into a bank is very easy, the problem is to conceal the evidence, to know how to deal with the money without arousing suspicion. We didn’t manage to do that very well.”

Even though he has changed careers and no longer hacks companies, the subject still seems to awaken in him great curiosity and considerable nostalgia. “When I left the field, 20 years ago, I thought I could never go back to it, because it would probably change so much,” he says. “But recently I met former employees of mine, and it turns out that nothing has changed. In effect, the field is dealing with the same problems, and even bigger problems than previously. Today we conduct far more activity online, there are products that move from place to place – from a bank to a credit company, for example – and there’s a greater chance that during these transitions of a problem of information security.”

But the ability to protect information has also improved.

'The studies my colleagues and I are doing focus on connecting external systems directly to our brain. The choice will be made by power of thought'

“Security is more sophisticated today, but because there’s more moving between platforms, there’s more room for human error," Cerf said. "The biggest problem is the human factor, that’s the weak link in all this. You can put 10 locks on the door, and in the end someone leaves the window open.”

While Shirbit is trying to figure out how the hack happened, to find a way to deal with the hackers and to assess the damage caused to the company, Cerf focuses his assessments on the human factor. “One reasonable scenario is that a company employee, out of error or malice, gave a password or other classified details to a third person, another company or a hostile entity. Another scenario is that the break-in is part of a war between two companies.”

How great are the chances that the human factor is to blame?

“Many information security companies will hate me for this, because their business is technology rather than psychology. Their executives say, ‘Put up a firewall and everything will be fine,’ but from previous hacking attempts we can estimate that in 90% of cases the human factor is involved. In other words, someone who mistakenly or deliberately gave out a password, or a service provider who wanted to go home already and in his last conversation with a stubborn customer said ‘Okay, this is the first letter of your password’ and made the hackers’ work easier.”

That’s a very high percentage, how did you reach it?

“Many years ago I prepared a report for the cybersecurity firm Imperva, where I was working, and while doing it I reviewed thousands of hacks. I found that in 90% of the famous hacks a human factor or human error was involved. I don’t think anything has changed since then.”

‘When the information enters the brain, as far as we’re concerned it has become the truth. When corporations gain access to your brain, we’ve reached the last stop’

PR and power games

Cerf discusses the case of Shirbit, which attracted great interest in Israel due to the scale and the quality of the data that was leaked to the Internet – employee pay stubs, customer claims, credit card details and ID numbers cards. Shirbit is a very small insurance company, but what was done to it is of great concern to insurance companies and banks, which fear being hacked themselves and try to do everything possible to prevent it. Shirbit for its part announced, predictably, that it would refuse to negotiate with the hackers.

“The moment the demand for payment is public, most of the companies don’t agree to it,” explains Cerf. “In such cases, the companies usually say, ‘We won’t conduct negotiations with terrorists.’ It’s a matter of power games and PR. Shirbit is losing money from [the hack] and its reputation has been damaged, but the hackers are at greater risk, compared to a situation with secret negotiations. If a boy in Nahariya suddenly becomes wealthy next week, it would be noticed immediately. There are many people keeping their eyes out, and they’re all looking at any change – so it’s to everyone’s detriment in this case.”

Israel is a cybersecurity superpower. Many of the biggest companies in the field today began as startups founded by Israelis: SentinelOne, worth $3 billion today; Check Point, founded in 1993 by Gil Shwed, who is still the CEO; Palo Alto Networks, founded by Nir Zuk, who struck out on his own after helping to build Check Point and now competes with it; and Imperva, also established by a Check Point co-founder, in this case Shlomo Kramer.

Three Israeli cybersecurity firms announced significant funding rounds in December. The cloud security firm Orca Security raised $55 million, after raising $20 million in May. Salt Security raised $30 million, following a $20 million round in June. At-Bay, which offers cybersecurity insurance, is engaged in cybersecurity, raised $34 million, the same amount it raised in February.

Companies spend billions on security, passing on the costs to customers and taxpayers. But maybe it’s actually an arms race that’s profitable for all the parties, and maybe nobody is really interested in stopping this race.

“In general, the world has become more complex. There are lots of systems involved in every activity and you don’t control all the places along the way. Even if you insist on being the good guy and you didn’t switch sides, you’re liable to be harmed by someone less good.”

History is full of hackers who made the headlines: In the early 1980s Fred Cohen, an engineering student at the time, created one of the first computer viruses, a program for an application that seized control of computer operation, as an experiment in computer security. WikiLeaks founder Julian Assange was just 20 when he hacked a Canadian media company. The Israeli hacker Ehud Tenenbaum hacked computers of NASA, the Pentagon, the Knesset and other high-profile organization at the age of 19. And of course there’s Anonymous, a group of hackers responsible for many major leaks in recent years.

“There are two main types of hackers,” say Cerf. “The first kind is an 18-year-old guy in Russia who was recruited for national service in an espionage organization. He gets instructions as to which button to press, and that can affect the world, but he’s only a foot soldier and someone else writes the script. There are many hackers like him who work in companies that provide services of this kind. They even have a customer service for hackers, only they’re on the side of the bad guys.”

The second type of hacker, he says, could be very talented computer programmers. “They sit at a computer, with a beard and a black hoodie, and hack companies like Microsoft. Afterward, they report to them, for a fee of course, the breaches they found. They rate the severity of the hack and use it to set the price of the report.

“Such hackers are paid a fortune, six figures in shekels and sometimes more, depending on the hack. They can patch the vulnerability, or they can sell it ... to the highest bidder: Iran, Israel or a competitor in China. Hackers of this type could easily join one of the large cybersecurity companies, but they prefer to work alone, from outside, even if in effect they’re cooperating with the companies. There are some who can also use this information to blackmail companies.”

‘Act as if every day is April Fool’s Day’

The hackers Cerf is talking about can sell the data itself, or code that enables their customers to break into the company. “The hackers’ market isn’t hidden,” says Cerf. “Facebook, for example, invites hackers to find breaches and report on them, for $60,000 for a minor glitch and up to $1 million if they could erase the website. These are deals that are usually made quietly.”

What are the greatest possible dangers from hacking?

“Take Gmail, for example. Today everyone is there, they send and receive email through it. In a large percentage of cases, when you want to restore a [forgotten] password to any website, it’s sent to Gmail, so all the information can be found in the Inbox. But in the end, Google’s information security is run by only about 20 people. They’re probably extremely talented, but some day one of the managers will make a mistake and give a login key for Gmail to the wrong person.

“In that case, they won’t hack only your private email, it will be a huge incident in which the whole world will see everything about everyone. Diplomatic relations will be undermined, classified trials will be revealed to everyone. That means that an hour after the Gmail system is hacked, we’ll see a huge collapse of the economy, of military systems and more. We have no way of protecting ourselves from that.”

What are the chances that such a thing will happen?

“Such an event is distant. ... At the same time, it’s possible that something like this has already happened even at Gmail, and they paid the hackers behind the scenes.”

‘Today we eat unhealthy food, smoke, drive and constantly cause traffic accidents – all that can be prevented if we can connect the brain to systems that can cause us to do things correctly’

How can a private individual protect himself?

“The usual answer is that you have to change your password every so often – but we’ve already heard those answers. So I’ll add some other solutions. The first is somewhat extreme: Simply cut yourself off from the Internet. That will solve the problem.

“I call the second solution the ‘April Fool’s Day’ solution. When someone tells you something on April 1, you’re slightly more skeptical about it because of the date. I suggest acting as if every day is April 1: Check whether the email you received from someone was really sent by him, and always check whether we believe things presented as facts.

“There are other possible solutions. For example, to always behave as though your phone was hacked just yesterday. Think about all the ways you would have tried to protect the information in your phone do them now. And after all that, I suggest taking into account that with every email you send on Gmail you’re actually sending a copy to Google too, and it’s on file there, even if it’s deleted on your computer. So for every email you send, think whether you would want Google, the White House or the FBI to read it.”

What not to do as CEO

Cerf couldn’t be farther from the stereotype of a hacker – or of a professor of neuroscience. He’s an amateur actor, a mountain climber, a piano player and he has a pilot’s license, and now he also serves as a consultant for films and TV shows in Hollywood. In 2015 he was featured on Elle magazine’s list of “41 Most Eligible Bachelors.”

He was born in Paris to Sarah, an Israeli fashion designer, and Michel, a French Israeli who founded a local newspaper. They immigrated to Israel when he was about 4. He grew up in Tel Aviv, majored in theater at the city’s High School of Arts and, together with his brother Yarin Cerf, acted in skits on the Israeli children’s TV program “Tofsim Rosh.”

In the army he served in Unit 8200, Israel’s top signal intelligence and cybersecurity unit. After completing his service he worked briefly at Check Point and later at Impreva. He went on to found his own cybersecurity firm. At 24, after his “bank robbing” days, he earned a Bachelor’s in physics and a Master’s in the philosophy of science at Tel Aviv University.

“The robbery story was very picturesque, but it wasn’t exceptional. It happens today too. There are people who specialize in that, they try to break into a bank and report the breaches to the company. In effect, you can’t run a bank without providing a quarterly report based on an attempt at a break-in.”

His career shift took place several years later, when during one of his business trips to the United States he met Francis Crick, who together with James Watson and Maurice Wilkins were awarded the 1962 Nobel Prize in Physiology or Medicine for discovering the structure of DNA. Crick, who saw a connection between hacking computers and neuroscience, proposed that he change sides. Cerf accepted the challenge, and completed his doctorate in neuroscience at the California Institute of Technology, known as Caltech.

Cerf is working on several interesting studies in neuroscience. The first is research on the ability to “read” dreams. The second deals with the ability to change people’s senses, so that the sense of smell connects to the sense of sight, and so on. Another study on which Cerf and his colleagues are working focuses on changing memories. It is designed to demonstrate how very small changes in the details of a story cause people to “update” details in their memory, and to gradually change their minds about a specific subject – even when it is basic to their identity.

In recent years neuroscience has become an integral part of the world of business and economics. And still, how is hacking computers and security related to neuroscience?

“There’s a great deal of similarity in the tools: Statistics and programming are tools both of a neuroscientist and a hacker. In both cases there’s a black box whose inner parts are inaccessible. Both require the ability to look at problems from the opposite direction. Hackers know how to do that, and scientists do it all the time.

“The attempt by neuroscientists to understand human beings as a brain-related and psychological system is something that hackers are very good at. And after all that you have to remember: All the passwords are in our brain, and they can be accessed directly via the gray cells. So maybe soon we’ll no longer have to hack smartphones or computers in order to retrieve passwords.”

Do you teach your students, as executives in large or small companies, how to use the weaknesses of the human brain in order to sell more? To exploit consumers?

“A question of that kind comes up in every course. Each time we announce that we’ll teach tricks to convince consumers to carry out certain activities, there will always be one student who will raise his hand and say it’s a disaster and he isn’t willing to participate in that kind of a world of tricks. And then I reply that he has to remember what he said when he’s the CEO of a business, when in a quarter when he won’t be earning enough he can say to himself ‘I can do this and that trick in order to add a few more zeros to the bottom line,’ or will prefer to be faithful to the statement ‘That’s not the world in which I want to live.’

“I hope the message I’m trying to convey – that if you don’t like something as a customer, don’t do it as a company – gets through to the students. In my opinion, the new generation thinks that way, I believe in it.”

The last stop

How can Facebook, Google, YouTube and the other technology giants influence our choices?

“I’ll give you an example from marketing. You enter the supermarket and in front of you is a shelf full of products. You say to yourself that when you choose the product you want, such as toothpaste for example, you’re making a clear, rational choice, based on price, packaging, the amount of menthol [flavor] and so on. But every time you think it’s a choice that represents the real you, you’ve lied to yourselves – because you didn’t choose which products appear on the shelf and in what order. You never make a choice free of the influence of others. Big companies such as Facebook, Google and YouTube have a lot of knowledge about our choices. They control the situation.

“Everything I’ve just said was true of 2020. But that’s history. In 2021 we’ll shift to a world in which the choice is not made in the conscious part of the brain, but in its subconscious part. All the studies my colleagues and I are doing, as part of Human 2.0, are designed to connect external systems directly to our brain, without intermediaries. In other words, the choice will be made by the power of thought, without our having to press a button. The attempt by Elon Musk, the CEO of Tesla, to connect to the brain by implanting a chip, is the first stage.”

How close are we to implanting new thoughts in our brains?

“Our research is trying to understand the language of the brain, and to see which chip can be implanted in the brain to enable us to make decisions more rationally and more correctly. Today we eat unhealthy food, smoke, drive and constantly cause traffic accidents – all that can be prevented if we can connect the brain to systems that can cause us to do things correctly.

“Our success is exponential, and the experiments being conducted at present in rats enable us to read their thoughts and to transfer information from one rat to another by transferring the chip. In human beings we’re beginning to see that the brain can be connected to external systems, in people who have sustained injuries and are unable to connect the brain to the body directly. They in effect can now control their world through the brain. For example, a person who returned from battle and was wounded in his upper limbs, can activate them by means of a robot that works for him by the power of thought.”

It sounds marvelous, but the other side is that such information and capabilities could fall into the wrong hands.

“Such information will in fact fall into the wrong hands. I’m not sure it’s in the right hands at the moment. These are two sides of the same coin. We see the preparations by Facebook and Twitter to reach our brain. Once Facebook is inside our brain, there will be little protection left. But we can decide whether or not to cooperate.”

There’s a lot of talk recently about “fact checking.” Is our brain even interested in and built to check facts?

“In our house there’s a big sign that says ‘Don’t believe everything you think.’ In the context of the process of evolution we constructed a brain that works really well, and does the job of skepticism wonderfully. It checks the facts and creates a wonderful narrative of our lives when it takes in information. But the moment the information enters, it stops checking facts. As far as I’m concerned, what’s in my memory is true. If we met yesterday, and today you tell me that there was no such meeting, I’ll tell you, ‘What are you talking about, I remember that we met.’

“That’s how it is – when the information enters the brain, as far as we’re concerned it has become the truth. When we enter a world in which corporations have access to your brain, we’ve reached the last stop. Now, not only can’t you do fact checking when the information enters, but you can’t even when it’s already inside your head.”

One topic Cerf is studying is the effects of interpersonal communication on brain development. In that sense, the coronavirus, social distancing and lockdowns have affected our ability to communicate. Psychologists and psychiatrists speak of the potentially serious consequences of social isolation, such as depression. But Cerf adds another layer – cognitive damage.

“As long as a person is by himself for a limited time, like for a walk in the park or meditation, everything is fine. But long-term isolation is almost always bad. People sleep less, are less focused, get caught up in an internal loop.” He says the clearest illustration of the importance of interpersonal communication is Alcatraz Prison, the infamous federal penitentiary on a tiny island in San Francisco Bay. “There were murderers and rapists there, but the prisoners always preferred to be together. The worst punishment was isolation, although there were terrible prisoners there. Any communication is preferable to an absence of communication.”

So the coronavirus has damaged the human brain?

“In principle, yes, although most people certainly spoke on the phone or on Zoom, and that’s enough to create communication.”

Five years from now, will everything be done by the power of thought?

“Even more than that, Amazon will know you so well that it will know that the milk is almost finished and will order a new bottle for you without your even thinking about it.”

That’s quite terrifying.

“Totally. There are a lot of good things about it, but these developments also have a dark side. They can increase social inequality and cause a great deal of damage in the wrong hands.”