Hello Neo | How do you know that name? | I know a lot about you | Who are you? | My name is Trinity | Trinity… the Trinity? That cracked the IRST base? | That was a long time ago | Jesus | What? | I just thought… you’re a guy | Most guys do
(The Matrix, 1999)
Meet Keren Elazari (36), one of the most successful individuals in the cyber security world today. “I’m a researcher, I’m an analyst, I’m a strategic consultant, I’m an author, I’m a lecturer. When people ask me what’s my title it’s always hard to narrow it within just one field – I do a lot of things,” she says. But in the early 90’s, when 13 years old Elazari was taking her first steps as an autodidact hacker, the world was not ready for an outstanding successful woman in this manly field. It wasn’t only Keanu Reeves who thought Trinity was a guy.
Elazari actually names another film, Hackers, starring Angelina Jolie, as part of what led her to cyber security. “When I first started going into chat rooms I used all kinds of nicknames, one of them was even Angelina’s character’s nick in the film, Acid Burn,” says Elazari. “People who watched the film probably knew it was a girl on the other side, and people who didn’t – just didn’t. I kept it like this for a simple reason: there was no advantage back then to say you’re a girl in a chat room. On the contrary – it would have attracted negative attention. It was better for me to keep a certain profile and chat about the technical stuff. In these forums there’s something called ASL (age, sex, location) question and it wouldn’t necessarily have been to my best interest to say I was a 13 year old girl from Tel Aviv.”
We will talk more about the absence of women that is still typical to this industry , more than 20 years later, but clearly the situation has significantly improved. “In ten days I’m flying to Las Vegas, to the biggest hacker conference in the world, where 20 thousand people are expected to attend. In the first years I went I could have set listening to a lecture with another thousand people in the conference hall, and besides me there were maybe five women sitting there. Five women in the same room with a thousand men is intimidating.
“In the last few years it’s been changing. I see more women, children, older people, transgenders, people with disabilities. In the 90s it was a white men club but today it’s changed, not just because people are more aware and it’s politically correct, but also because more and more people just feel more comfortable with the exposure.”
My Dad, The Cyber Security Expert
Elazari’s father is Ami Elazari, CEO of Millennium Electric and formerly a senior in 8200, the cyber intelligence unit in the Israeli Defense Forces, one of the first cyber security experts in Israel. He began his career in cyber security when Elazari was a young girl, but one shouldn’t immediately assume that has to do with Elazari’s choice of career.
“Both my parents, together and apart, always encouraged me to be inquisitive. It was my mom who bought me my first computer and had it connected to the internet. They supported me when I wanted to attend conferences, when I wanted to go to academic science youth programs, when I wanted to sign up for school, when I researched, sitting hours in front of the computer, when I asked for a separate phone line for the Internet at the time when you had to use a phone line to get online. Even when I wanted to learn to type in English it was my mom who helped me,” she reflects. “My parents, both of them, my dad with his professional background and my mom who is a career woman in an international airline, are the ones who gave me the means to delve in it and become a pro. They watched me and helped me.”
The self learning time Elazari spent during her childhood was not stopped when it was time for her to join the IDF. She looked for ways she can use her new abilities during her service but this was uncharted waters for the army. “When I was drafted there were no courses or units for cyber defense or cyber warfare like they have today but I just spent four years in the cyber world and I already knew that’s what I want to do, so in all my interviews with the recruiting and sorting officers I kept saying the same thing – information security. I was persistent yet sensitive and eventually I managed to get to a relevant position in a relevant department.”
The IDF, it seems, has grasped by now that cyber is important in more than just one way, not just for military purposes – but also social ones. “Nowadays they have so many more options, for men and for women. There are varied programs in high schools and even earlier. I think women in the army do get opportunities nowadays. What’s missing is the thing that happens afterwards, when women leave the army and for some reason choose not to make a career in cyber”.
This is not just about unit 8200, whose veterans are most sought after in the industry, but also about a wide selection of tech units and programs that the IDF is preparing and training. “8200 is truly an amazing platform, but just like the head of their veterans foundation, Nir Lempert, says, we should aspire to spread the opportunities and the success of 8200 to more groups in society, not just for people who were in 8200. There are women who don’t want to join the army for different reasons, and of course 8200 is not suitable for everyone. That’s why Israeli society should create more opportunities and programs for populations outside the army, such as ultra-orthodox women, the Arab sector and so on. Parts of the population who normally don’t serve in the IDF. That shouldn’t mean that they have no room in the cyber, hi-tech and technology industry. On the contrary. There are plenty of promising initiatives in this area, but what’s really missing in my eyes is acceptance from the people who are already in the in the industry towards the other half of society – women,” says Elazari.
8200 IDF Unit: Narrowing the Gender Gap
Naturally, being a woman in the cyber world, as well as in the military, has a feminist meaning. “I think that if we want equal rights then we should have equal duties,” says Elazari when trying to explain one of the most intriguing details in her biography: the self-taught proactive girl, who came from a supporting well connected background, who was persistent when dealing with the army and gained one success after another – chose to serve 10 years in the army, first in the standing army and later in reserve, as an officer of cyber-security in the Intelligence department. “I would have kept on serving in the reserve forces but they don’t call me anymore,” she smiles.
“Serving in certain units in the army is sort of an entry ticket to a professional club. I strongly believe serving in the reserve force is part of my duty, for the sake of equality but also because I think it’s important professionally. For me the military service was gap narrowing. I see a lot of women serving in tech units but not continuing that path after their discharge – and it’s a shame. There’s a potential here to increase the number of women in the tech industry based on tech military service.”
Despite the archetypal Israeli course of life we described hitherto, one cannot help wondering if being successful in the cyber world, where national borders do not exist, has changed Elazari’s Israeli perception. “The truth is I see myself as first of all Tel Avivi,” she answers frankly. “I was born in Tel Aviv, and even today when they ask me where I’m from I say I’m from Tel Aviv.”
Elazary and her partner, cinematographer and augmented reality games creator Nadav Hekselman, own an apartment in the city, but – if to use Elazari’s own words – they are actually “digital nomads”. She explains: “Last year Nadav was filming an American TV series for Sony and that was mostly in East Europe. I was moving in between the US, Europe and Tel Aviv. We were living out of our suitcases. But I pay taxes in Israel, my public health service is in Israel, I serve in the reserve army in Israel and my family is in Israel. Business wise I work around the world – my customers sit in Europe, the US and Japan.”
Devoting a 1/3 of her Time to the Community
Elazari holds two degrees of humanities and social studies: she graduated Tel Aviv University with a Bachelor of Arts in history and philosophy of science and ideas and a Master of Arts in security studies. Ironically she never finished the computer science degree she started before that. “My career and the business world I’m in are already in the tech area, and I wanted something else, something extra. I strongly believe in always keeping one foot in academics for the sake of intellectual freedom, to be able to do research, and because of the importance of academics in society, like our cyber conference in Tel Aviv University, which is open to anyone who wants to join. I believe educational institutes have more to offer than just degrees and diplomas.”
It’s not that Elazari completely quit the theoretical side of computing. In 2007 for example she became a certified CISSP, one of the most prestigious certifications in the programming world. “Cyber is so diverse that this is absolutely not the only relevant certificate. You need all kinds of people, not just programmers. There are so many types of knowledge: mathematicians, algorithm developers, product managers, intelligence research specialists – so many positions in this industry demand a wide selection of skills, far wider than what they teach today in computer science. I did half the degree and from what I learned half of the programming languages were already irrelevant in the real world. At the same time I got job offers in information security and it was clear to me that I could get more knowledge and experience by working with an experienced team in a big company. Working experience is far more significant in my eyes.”
Elazari’s work experience is indeed extensive, and nowadays she sorts her work to different business lines. The first of them is strategic consulting to international companies and organizations. Despite her expertise this is not technical consulting but business oriented, the kind only someone who’s well informed in the industry can do. “For example, how to start a line of products or a new business line in cyber defence,” she explains. “If a company is developing a new technological product I help them manage it – verifying the product answers needs in the market that no other product does. Alternatively, I also help hedge funds and big companies looking to invest in cyber: should they buy a startup or invest in one, should they develop their own products, should they start a new service line.” Elazari wouldn’t give names of customers due to confidentiality agreements, but from the few names she will give out, such as Adallom (bought by Microsoft), Verint, Amdocs and Israel Aerospace Industries, one can get the proportions of the business.
“My second line of business is lecturing at organizational events”, she says. “It’s not just enrichment but also very detailed technological workshops to international tech giants like Intel, PayPal, Google, Microsoft, Allianz, Siemens, GE, Cisco and others.” The companies that contact her come mostly from the finance, telecom and industrial technology fields.
The third line of business is Elazari’s pro-bono activities, and it’s as spread out as the first two. First of all she is a research associate in the Blavatnik Interdisciplinary Cyber Research Center in Tel Aviv University as well as a faculty member of Singularity University in California, a highly acclaimed private institute in Silicon Valley where a team of senior tech experts gives lectures and workshops. Elazari is a faculty member there since 2012.
On top of that she is also engaged in writing literature and organizing hackers meetups and cyber conferences, such as the BSides conference at Tel Aviv university. “I dedicate a third of my time to the community,” she says.
Practical Women in Tech
The gender gap in cyber world is addressed as part of Elazari’s probono activity. “In 2016,” she says, “I joined eight other women and we published together a book called Women in Tech, a Practical Guide. Originally it was supposed to be crowdfunded but once we got our goal budget one of America’s biggest publishing firms jumped on the chance and today it’s a best seller in Amazon, already in its third edition. We shared our stories in the book but also gave practical advice: how to prepare for an interview in the tech industry, how to negotiate for a position or salary, how to create welcoming positions to other women once you’re already promoted in the organization.
“If you look at the information security industry you will find some women in very senior positions, in Israel as well. And there are also 18-21 year old women coming out of the tech units and straight into the industry. What’s missing is mid-level female managers, not just CEOs and presidents, and also variety. There are a lot of people you can ask about women in hi-tech and they will answer ‘of course there are, there’s Keren Elazari’. I’m proud to be a prominent figure in this industry, but I don’t want to be an anecdote. I want to be one of many.”
Another pro-bono example is a professional meetup of cyber women that Elazari have been leading since 2015. “We meet once in a quarter, and all the talks given are of women from within the group. We don’t talk about combining work and being a mother or about blocks in the industry, but about what we do. Each of the speakers is giving a professional technological lecture from her field.” When we met Elazari for this interview, early July, the eighth meetup was taking place in a small cozy bar in Tel Aviv, where approximately 100 women crowded and listened to lectures.
“In every meetup we have about 50% newcomers. These are not mass meetings”, she says. The last meetup was sponsored by technology company Akamai, like the rest of the meetups, which were all sponsored by companies such as Check Point, CA and others. “Every meetup has between two to five lectures, and they are selected by the group regardless of the sponsor.”
Q: why is that necessary?
“There is a phenomenon in which women don’t attend conferences or events and don’t volunteer to give talks, even if they’re very talented. It’s a documented phenomenon in many researches. That’s why the meetups are important. I’ve learned that the most important things in information security and hacking conferences, when I had an opportunity to ask questions, suggest ideas or talk to speakers. In that sense I was always standing out, but I believe that attending conferences is not just ‘nice to have’, it’s part of the job. It’s a professional course and it’s important for networking.”
Q: How are Israeli women doing compared to other countries? After all, we are the Startup Nation.
“From my perspective, having lived in California, worked in Silicon Valley and consulted to hedge funds investing in the field, women entrepreneurs in Israel have a better starting point than our colleagues around the world. Even better than women in Silicon Valley. But there’s a gap between that potential and making it happen. There are still very few women entrepreneurs and even in the cyber field, which is the hottest right now in the Israeli startup ecosystem there’s is only a handful of women founding startups or investing in them. There are a few female partners in hedge funds specializing in cyber and I try to get to know them all, invite them to meetups and so on, but there are just a few.”
Snowden and I
In 2014 Elazary made history, double history in some way. First, her talk in TED that year was the first one ever given by an Israeli woman. But the content – her main thesis regarding hackers being the immune system of the internet – could be no less than revolutionary; especially considering that the same thesis struck roots in the industry.
“The theory struck roots, but it’s not just because of me or the talk in TED,” she claims. But still, up to July this year Elazari’s talk was the most watched hackers and information security talk in TED, second only to Edward Snowden’s talk, which by the way took place the same week.
“There are more and more organizations adopting the idea that hackers are not just malicious criminals but an important substantial part of the information security world, who often find faults before everyone else,” she claims – and she has proofs: “In the most basic level, there are four big tech companies who established a trademark based on my last sentence – so there’s definitely a branding value to it. Secondly, in the more practical sense, the phenomenon I have been researching for the past three years, which is called Bug Bounty Programs, proves more than anything how well this concept has struck roots.
“It has been years now, especially since 2014-5, that any big important tech company is having programs calling for hackers around the world to find bugs and security flaws in their system and report it. Another example is the Hack The Pentagon program, issued by the US Department Of Defence, one of the world’s most conservative establishments when it comes to hackers, in which they invited people to find bugs in their security system. Within 13 minutes they already found a bug no one knew about. In 14 days they discovered more than 250 bugs in the Pentagon’s websites that are open to the public.”
Y.H: This is very surprising, because a hacker who reports a bug and collects the bounty offered by the company could have probably made a much bigger sum if he or she had used the bug maliciously.
“That’s right, and that’s why these programs prove exactly my point. Friendly hackers are far more motivated than you think. There are hundreds of thousands registered users in platforms that provide this legitimacy that wasn’t there before. The climate towards hackers in Israel has always been relatively friendly, but in other countries not only they didn’t have working opportunities but there’s legislation considering them as criminals. It’s exactly in these countries where we see the wide acceptance of the bug bounty programs. It provides them with a legitimate hacking job for the first time in history. This phenomenon is not just helping companies to find bugs in their systems, but it’s literally changing society. It provides people employment opportunities that were not there before. It was the same for me, when I was a 15 year old hacker I had no legitimate mechanism to work with.”
And how do the last few cyber attacks, WannaCry, Petya, NotPetya, fit in? Do black hat hackers have a part in this immune system?
“The reason WannaCry (in which more than 200,000 computers around the world were attacked, Y.H) spread so quickly was due to a weakness in the Microsoft Operating System, which wasn’t supported (because Microsoft stopped supporting operating systems older than Windows 7, Y.H) and because of a tool that was leaked from the NSA.
“That’s exactly what I’m talking about in TED: who are actually the bad people? is it the hackers? Microsoft? the NSA? the person who leaked from the NSA? the people who didn’t upgrade their operating systems? there’s a big ecosystem here. And who stopped the malware in the end? an independent guy who did his own research from home and realized how to stop it.
“I believe we will see soon more ransomware attacks that will disrupt infrastructures. One of the most significant parts in WannaCry was the massive spreading in public health systems. We will see more and more attacks of this kind, that not only erase data but also affect equipment and infrastructure that are vital in modern world. This ability – to move from the web to the physical world – is the future of cyber warfare. These days it’s no longer about information security but more about cyber defense, because people almost don’t regard information as private anymore. Physical stuff, personal safety, infrastructure – these are what we need to focus on defending now.”